Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 20:27
Behavioral task
behavioral1
Sample
12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe
-
Size
115KB
-
MD5
12689368725b4ccc7aa57d70ffb8a5f0
-
SHA1
9c0fee9a7cd74a8b6919fee6aff787b5c3d33708
-
SHA256
3ca9ab7e255bb60224c01aab12d8ff7340c2883669df6fe138f9b4aa02babada
-
SHA512
e0dc98f77bad3c966b2657c3f3b75911a85041fa55e3b610e6490305e61a79b53252ba6ce343d43ff3892eb2484247f1f0aff501e50b7ff0e9d68601f88b1fa9
-
SSDEEP
3072:MLIwfc3bIBkXTFW2VTbWymWU6SMQehalNgFuk0:IIwfcLOkXTf6ymWU5MClN5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elbmlmml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflplnlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehimanbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqjceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfblfab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boepel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpkoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefbfgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnilpah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baocghgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdiooblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgljmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifbang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcpoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhdlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcagkdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcllonma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceoibflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedeph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebdoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecppkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgfgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcagkdba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpijnqkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blfdia32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000900000002328e-6.dat family_berbew behavioral2/files/0x0007000000023419-15.dat family_berbew behavioral2/files/0x000700000002341b-23.dat family_berbew behavioral2/files/0x000700000002341d-31.dat family_berbew behavioral2/files/0x000700000002341f-38.dat family_berbew behavioral2/files/0x0007000000023421-46.dat family_berbew behavioral2/files/0x0007000000023423-54.dat family_berbew behavioral2/files/0x0007000000023425-62.dat family_berbew behavioral2/files/0x0007000000023427-70.dat family_berbew behavioral2/files/0x0007000000023429-78.dat family_berbew behavioral2/files/0x000700000002342b-82.dat family_berbew behavioral2/files/0x000700000002342d-96.dat family_berbew behavioral2/files/0x000700000002342f-105.dat family_berbew behavioral2/files/0x0007000000023431-114.dat family_berbew behavioral2/files/0x0007000000023433-124.dat family_berbew behavioral2/files/0x0007000000023435-132.dat family_berbew behavioral2/files/0x0007000000023437-141.dat family_berbew behavioral2/files/0x0007000000023439-150.dat family_berbew behavioral2/files/0x000700000002343b-159.dat family_berbew behavioral2/files/0x000700000002343d-168.dat family_berbew behavioral2/files/0x000700000002343f-177.dat family_berbew behavioral2/files/0x0009000000023416-186.dat family_berbew behavioral2/files/0x0007000000023442-195.dat family_berbew behavioral2/files/0x0007000000023444-204.dat family_berbew behavioral2/files/0x0007000000023446-212.dat family_berbew behavioral2/files/0x0007000000023448-222.dat family_berbew behavioral2/files/0x000700000002344a-230.dat family_berbew behavioral2/files/0x000700000002344c-239.dat family_berbew behavioral2/files/0x000700000002344e-248.dat family_berbew behavioral2/files/0x0007000000023450-257.dat family_berbew behavioral2/files/0x0007000000023452-266.dat family_berbew behavioral2/files/0x0007000000023454-275.dat family_berbew behavioral2/files/0x0007000000023476-381.dat family_berbew behavioral2/files/0x000900000002347a-433.dat family_berbew behavioral2/files/0x00070000000234d3-708.dat family_berbew behavioral2/files/0x00070000000234d9-730.dat family_berbew behavioral2/files/0x00070000000234df-750.dat family_berbew behavioral2/files/0x00070000000234e3-763.dat family_berbew behavioral2/files/0x00070000000234e7-777.dat family_berbew behavioral2/files/0x00070000000234ef-805.dat family_berbew behavioral2/files/0x00070000000234f3-820.dat family_berbew behavioral2/files/0x000700000002350f-917.dat family_berbew behavioral2/files/0x0007000000023525-994.dat family_berbew behavioral2/files/0x0007000000023541-1089.dat family_berbew behavioral2/files/0x0007000000023547-1108.dat family_berbew behavioral2/files/0x0007000000023551-1139.dat family_berbew behavioral2/files/0x0007000000023557-1160.dat family_berbew behavioral2/files/0x000700000002355b-1174.dat family_berbew behavioral2/files/0x0007000000023569-1223.dat family_berbew behavioral2/files/0x0007000000023573-1258.dat family_berbew behavioral2/files/0x000700000002357d-1293.dat family_berbew behavioral2/files/0x0007000000023581-1307.dat family_berbew behavioral2/files/0x0007000000023591-1363.dat family_berbew behavioral2/files/0x0007000000023595-1377.dat family_berbew behavioral2/files/0x000700000002359b-1398.dat family_berbew behavioral2/files/0x00070000000235a3-1426.dat family_berbew behavioral2/files/0x00070000000235ad-1460.dat family_berbew behavioral2/files/0x00070000000235b1-1474.dat family_berbew behavioral2/files/0x00070000000235b5-1487.dat family_berbew behavioral2/files/0x00070000000235b9-1500.dat family_berbew behavioral2/files/0x00070000000235bd-1514.dat family_berbew behavioral2/files/0x00070000000235d7-1604.dat family_berbew behavioral2/files/0x00070000000235df-1632.dat family_berbew behavioral2/files/0x00070000000235e5-1652.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5056 Pkfblfab.exe 1848 Pndohaqe.exe 2144 Pgmcqggf.exe 4468 Pnfkma32.exe 1184 Paegjl32.exe 3784 Pcccfh32.exe 3940 Pgopffec.exe 2128 Qecppkdm.exe 4244 Qjpiha32.exe 4848 Qbgqio32.exe 1916 Qgciaf32.exe 1360 Qnnanphk.exe 4832 Aegikj32.exe 1072 Agffge32.exe 924 Ajdbcano.exe 228 Aanjpk32.exe 2420 Aldomc32.exe 2172 Aaqgek32.exe 3344 Ajiknpjj.exe 936 Abpcon32.exe 4720 Alhhhcal.exe 2212 Abbpem32.exe 5116 Adcmmeog.exe 2412 Ajneip32.exe 3828 Becifhfj.exe 3236 Bdfibe32.exe 1568 Bajjli32.exe 4580 Bhdbhcck.exe 1840 Behbag32.exe 4212 Baocghgi.exe 2488 Bhikcb32.exe 4416 Bbnpqk32.exe 1660 Bdolhc32.exe 1792 Blfdia32.exe 3704 Boepel32.exe 4544 Ceoibflm.exe 2652 Cklaknjd.exe 4220 Cogmkl32.exe 2148 Ceaehfjj.exe 3608 Clkndpag.exe 8 Cknnpm32.exe 876 Cahfmgoo.exe 4632 Cdfbibnb.exe 1040 Colffknh.exe 5096 Cajcbgml.exe 5080 Cdiooblp.exe 3044 Clpgpp32.exe 3200 Cbjoljdo.exe 2740 Chghdqbf.exe 1240 Dbllbibl.exe 4196 Ddmhja32.exe 1216 Dldpkoil.exe 2688 Dkgqfl32.exe 4444 Dboigi32.exe 5044 Ddpeoafg.exe 5108 Dlgmpogj.exe 2972 Dkjmlk32.exe 1464 Dbaemi32.exe 1388 Deoaid32.exe 4828 Ddbbeade.exe 5024 Dlijfneg.exe 1504 Dohfbj32.exe 4856 Dccbbhld.exe 2876 Deanodkh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbnpqk32.exe Bhikcb32.exe File created C:\Windows\SysWOW64\Ijnlbk32.dll Cahfmgoo.exe File created C:\Windows\SysWOW64\Jcllonma.exe Jeklag32.exe File created C:\Windows\SysWOW64\Ajfhnjhq.exe Aclpap32.exe File created C:\Windows\SysWOW64\Ceipnc32.dll Qjpiha32.exe File created C:\Windows\SysWOW64\Bajjli32.exe Bdfibe32.exe File opened for modification C:\Windows\SysWOW64\Hfnphn32.exe Hflcbngh.exe File opened for modification C:\Windows\SysWOW64\Pnfkma32.exe Pgmcqggf.exe File opened for modification C:\Windows\SysWOW64\Aaqgek32.exe Aldomc32.exe File created C:\Windows\SysWOW64\Pkbbae32.dll Hofdacke.exe File created C:\Windows\SysWOW64\Qoecnk32.dll Kiidgeki.exe File created C:\Windows\SysWOW64\Pdfjifjo.exe Pmoahijl.exe File opened for modification C:\Windows\SysWOW64\Aepefb32.exe Anfmjhmd.exe File created C:\Windows\SysWOW64\Ifllil32.exe Ipbdmaah.exe File created C:\Windows\SysWOW64\Canidb32.dll Kdcbom32.exe File created C:\Windows\SysWOW64\Mdckfk32.exe Lmiciaaj.exe File created C:\Windows\SysWOW64\Eiojlkkj.dll Aqncedbp.exe File opened for modification C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Cnnlaehj.exe File created C:\Windows\SysWOW64\Baocghgi.exe Behbag32.exe File created C:\Windows\SysWOW64\Dhoholen.dll Ehimanbq.exe File opened for modification C:\Windows\SysWOW64\Gfembo32.exe Gcfqfc32.exe File created C:\Windows\SysWOW64\Hfnphn32.exe Hflcbngh.exe File opened for modification C:\Windows\SysWOW64\Pjmehkqk.exe Pgnilpah.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Lpqiemge.exe Lmbmibhb.exe File created C:\Windows\SysWOW64\Lbdolh32.exe Lmgfda32.exe File opened for modification C:\Windows\SysWOW64\Alhhhcal.exe Abpcon32.exe File created C:\Windows\SysWOW64\Mjbbkg32.dll Njefqo32.exe File created C:\Windows\SysWOW64\Eegdfm32.dll Aaqgek32.exe File created C:\Windows\SysWOW64\Facagg32.dll Behbag32.exe File created C:\Windows\SysWOW64\Lbkdpj32.dll Ghopckpi.exe File opened for modification C:\Windows\SysWOW64\Ojjolnaq.exe Ocpgod32.exe File created C:\Windows\SysWOW64\Npfhbbpk.dll Ddmhja32.exe File created C:\Windows\SysWOW64\Bqbodd32.dll Qjoankoi.exe File created C:\Windows\SysWOW64\Bkjpmk32.dll Aeniabfd.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe Cnicfe32.exe File created C:\Windows\SysWOW64\Dmefhako.exe Dfknkg32.exe File opened for modification C:\Windows\SysWOW64\Onhhamgg.exe Ognpebpj.exe File opened for modification C:\Windows\SysWOW64\Lfkaag32.exe Lpqiemge.exe File created C:\Windows\SysWOW64\Llgjjnlj.exe Lfkaag32.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Cahfmgoo.exe Cknnpm32.exe File opened for modification C:\Windows\SysWOW64\Fdnjgmle.exe Foabofnn.exe File created C:\Windows\SysWOW64\Jlpkba32.exe Jefbfgig.exe File created C:\Windows\SysWOW64\Ipenkiei.dll Ddbbeade.exe File opened for modification C:\Windows\SysWOW64\Lfhdlh32.exe Llcpoo32.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qcgffqei.exe File created C:\Windows\SysWOW64\Klohppck.dll Ceoibflm.exe File created C:\Windows\SysWOW64\Hfqlnm32.exe Hofdacke.exe File created C:\Windows\SysWOW64\Ickfifmb.dll Aclpap32.exe File opened for modification C:\Windows\SysWOW64\Iikhfg32.exe Ifllil32.exe File opened for modification C:\Windows\SysWOW64\Mgagbf32.exe Mdckfk32.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Bdolhc32.exe Bbnpqk32.exe File created C:\Windows\SysWOW64\Dohfbj32.exe Dlijfneg.exe File created C:\Windows\SysWOW64\Ikpaldog.exe Hbgmcnhf.exe File created C:\Windows\SysWOW64\Kqgmgehp.dll Mlcifmbl.exe File opened for modification C:\Windows\SysWOW64\Olmeci32.exe Ofcmfodb.exe File created C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Nknjccol.dll Edpnfo32.exe File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Hfnphn32.exe File created C:\Windows\SysWOW64\Jbhfjljd.exe Jcefno32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7564 7596 WerFault.exe 379 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dldpkoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bnhjohkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiidgeki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekclg32.dll" Gbgdlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjeoglgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhikcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbgdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmaef32.dll" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll" Jfaedkdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndohaqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclnemml.dll" Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgme32.dll" Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojjolnaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddojq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljcmlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdqba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll" Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iemppiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeaikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifllil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecandfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjgop32.dll" Eocenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll" Onhhamgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paegjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmenjlfh.dll" Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfqlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baocghgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll" Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhclbphg.dll" Fkciihgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll" Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlpkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hopnqdan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnilpah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cahfmgoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" Aepefb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhikcb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 5056 2008 12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe 81 PID 2008 wrote to memory of 5056 2008 12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe 81 PID 2008 wrote to memory of 5056 2008 12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe 81 PID 5056 wrote to memory of 1848 5056 Pkfblfab.exe 82 PID 5056 wrote to memory of 1848 5056 Pkfblfab.exe 82 PID 5056 wrote to memory of 1848 5056 Pkfblfab.exe 82 PID 1848 wrote to memory of 2144 1848 Pndohaqe.exe 83 PID 1848 wrote to memory of 2144 1848 Pndohaqe.exe 83 PID 1848 wrote to memory of 2144 1848 Pndohaqe.exe 83 PID 2144 wrote to memory of 4468 2144 Pgmcqggf.exe 84 PID 2144 wrote to memory of 4468 2144 Pgmcqggf.exe 84 PID 2144 wrote to memory of 4468 2144 Pgmcqggf.exe 84 PID 4468 wrote to memory of 1184 4468 Pnfkma32.exe 85 PID 4468 wrote to memory of 1184 4468 Pnfkma32.exe 85 PID 4468 wrote to memory of 1184 4468 Pnfkma32.exe 85 PID 1184 wrote to memory of 3784 1184 Paegjl32.exe 87 PID 1184 wrote to memory of 3784 1184 Paegjl32.exe 87 PID 1184 wrote to memory of 3784 1184 Paegjl32.exe 87 PID 3784 wrote to memory of 3940 3784 Pcccfh32.exe 88 PID 3784 wrote to memory of 3940 3784 Pcccfh32.exe 88 PID 3784 wrote to memory of 3940 3784 Pcccfh32.exe 88 PID 3940 wrote to memory of 2128 3940 Pgopffec.exe 90 PID 3940 wrote to memory of 2128 3940 Pgopffec.exe 90 PID 3940 wrote to memory of 2128 3940 Pgopffec.exe 90 PID 2128 wrote to memory of 4244 2128 Qecppkdm.exe 91 PID 2128 wrote to memory of 4244 2128 Qecppkdm.exe 91 PID 2128 wrote to memory of 4244 2128 Qecppkdm.exe 91 PID 4244 wrote to memory of 4848 4244 Qjpiha32.exe 92 PID 4244 wrote to memory of 4848 4244 Qjpiha32.exe 92 PID 4244 wrote to memory of 4848 4244 Qjpiha32.exe 92 PID 4848 wrote to memory of 1916 4848 Qbgqio32.exe 93 PID 4848 wrote to memory of 1916 4848 Qbgqio32.exe 93 PID 4848 wrote to memory of 1916 4848 Qbgqio32.exe 93 PID 1916 wrote to memory of 1360 1916 Qgciaf32.exe 95 PID 1916 wrote to memory of 1360 1916 Qgciaf32.exe 95 PID 1916 wrote to memory of 1360 1916 Qgciaf32.exe 95 PID 1360 wrote to memory of 4832 1360 Qnnanphk.exe 96 PID 1360 wrote to memory of 4832 1360 Qnnanphk.exe 96 PID 1360 wrote to memory of 4832 1360 Qnnanphk.exe 96 PID 4832 wrote to memory of 1072 4832 Aegikj32.exe 97 PID 4832 wrote to memory of 1072 4832 Aegikj32.exe 97 PID 4832 wrote to memory of 1072 4832 Aegikj32.exe 97 PID 1072 wrote to memory of 924 1072 Agffge32.exe 98 PID 1072 wrote to memory of 924 1072 Agffge32.exe 98 PID 1072 wrote to memory of 924 1072 Agffge32.exe 98 PID 924 wrote to memory of 228 924 Ajdbcano.exe 99 PID 924 wrote to memory of 228 924 Ajdbcano.exe 99 PID 924 wrote to memory of 228 924 Ajdbcano.exe 99 PID 228 wrote to memory of 2420 228 Aanjpk32.exe 100 PID 228 wrote to memory of 2420 228 Aanjpk32.exe 100 PID 228 wrote to memory of 2420 228 Aanjpk32.exe 100 PID 2420 wrote to memory of 2172 2420 Aldomc32.exe 101 PID 2420 wrote to memory of 2172 2420 Aldomc32.exe 101 PID 2420 wrote to memory of 2172 2420 Aldomc32.exe 101 PID 2172 wrote to memory of 3344 2172 Aaqgek32.exe 102 PID 2172 wrote to memory of 3344 2172 Aaqgek32.exe 102 PID 2172 wrote to memory of 3344 2172 Aaqgek32.exe 102 PID 3344 wrote to memory of 936 3344 Ajiknpjj.exe 103 PID 3344 wrote to memory of 936 3344 Ajiknpjj.exe 103 PID 3344 wrote to memory of 936 3344 Ajiknpjj.exe 103 PID 936 wrote to memory of 4720 936 Abpcon32.exe 104 PID 936 wrote to memory of 4720 936 Abpcon32.exe 104 PID 936 wrote to memory of 4720 936 Abpcon32.exe 104 PID 4720 wrote to memory of 2212 4720 Alhhhcal.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\12689368725b4ccc7aa57d70ffb8a5f0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe23⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:5116 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe25⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe26⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3236 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe28⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe34⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe38⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe39⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe40⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe41⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe45⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe46⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe48⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe49⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe50⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe51⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe54⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe55⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe56⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe57⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe59⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe60⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe63⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe64⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe65⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe66⤵
- Modifies registry class
PID:3568 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe67⤵PID:2840
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe68⤵PID:3764
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe69⤵PID:3164
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe70⤵PID:3076
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe71⤵PID:2112
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe72⤵PID:4936
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe73⤵PID:1364
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe74⤵PID:740
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe75⤵PID:3204
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe76⤵PID:2600
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe77⤵PID:1052
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe78⤵PID:3548
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe79⤵
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe80⤵PID:3356
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe81⤵PID:340
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3320 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe83⤵PID:5040
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe84⤵PID:2004
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe85⤵PID:4652
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe87⤵PID:1428
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe88⤵
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe89⤵PID:4088
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe90⤵PID:3256
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe91⤵
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3948 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe93⤵
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe95⤵PID:4708
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe96⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe98⤵PID:4628
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe99⤵PID:2920
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe100⤵PID:1604
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe101⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe102⤵
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe103⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe104⤵PID:1336
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe105⤵PID:3248
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe107⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe108⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe109⤵PID:4404
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe110⤵
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe111⤵PID:5148
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe112⤵PID:5192
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe113⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5280 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe116⤵
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe117⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe118⤵PID:5456
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe119⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe120⤵PID:5544
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-