Analysis
-
max time kernel
94s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 21:48
Behavioral task
behavioral1
Sample
2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe
-
Size
177KB
-
MD5
2f7b4c3e4c1ee555ca453bdc532b4b60
-
SHA1
c6ca04523c68309033af4cdc6b6ea923b06e4270
-
SHA256
b1b3b847e86678c6acc44dfa87e458d573b1c71e896f4767c4a151018b14436d
-
SHA512
7eb9d0cc3478ee9dd6796c9dab6aa41dbaa0bb2f501ab2c193a62c21b4d69b3124eb79c4bb8e578943ab522deacb7020aa64d282255a49fa65a283291294de9c
-
SSDEEP
3072:vdqcbd3LgIQx6WlNv6n3g3q/haR5sS+vfvLHhjh8g1eGFyOsa:lqcZLgNwWlNSn3ga/harSvLHh98gwG06
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocddono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbjgpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkaejf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdckaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmflf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edmjfifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmkoeqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjcnold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjoiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcddcbab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodfajaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaohcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikaggmii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbdopck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhncdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbmibhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjinkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhfkopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddgmbpb.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000700000002328e-6.dat family_berbew behavioral2/files/0x0007000000023444-15.dat family_berbew behavioral2/files/0x0007000000023446-23.dat family_berbew behavioral2/files/0x0007000000023448-32.dat family_berbew behavioral2/files/0x000700000002344a-39.dat family_berbew behavioral2/files/0x000700000002344c-47.dat family_berbew behavioral2/files/0x000700000002344e-55.dat family_berbew behavioral2/files/0x0007000000023450-63.dat family_berbew behavioral2/files/0x0007000000023452-71.dat family_berbew behavioral2/files/0x0007000000023454-79.dat family_berbew behavioral2/files/0x0007000000023456-82.dat family_berbew behavioral2/files/0x0007000000023458-95.dat family_berbew behavioral2/files/0x000700000002345a-103.dat family_berbew behavioral2/files/0x000700000002345c-106.dat family_berbew behavioral2/files/0x000700000002345e-119.dat family_berbew behavioral2/files/0x0007000000023460-127.dat family_berbew behavioral2/files/0x0007000000023462-135.dat family_berbew behavioral2/files/0x000900000002343d-143.dat family_berbew behavioral2/files/0x0007000000023465-151.dat family_berbew behavioral2/files/0x0007000000023467-159.dat family_berbew behavioral2/files/0x0007000000023469-167.dat family_berbew behavioral2/files/0x000700000002346b-175.dat family_berbew behavioral2/files/0x000700000002346d-183.dat family_berbew behavioral2/files/0x000700000002346f-191.dat family_berbew behavioral2/files/0x0007000000023471-201.dat family_berbew behavioral2/files/0x0007000000023473-207.dat family_berbew behavioral2/files/0x0007000000023475-215.dat family_berbew behavioral2/files/0x0007000000023477-223.dat family_berbew behavioral2/files/0x0007000000023479-231.dat family_berbew behavioral2/files/0x000700000002347b-239.dat family_berbew behavioral2/files/0x000700000002347d-247.dat family_berbew behavioral2/files/0x000700000002347f-255.dat family_berbew behavioral2/files/0x0007000000023489-282.dat family_berbew behavioral2/files/0x00070000000234b9-468.dat family_berbew behavioral2/files/0x00070000000234d3-536.dat family_berbew behavioral2/files/0x00070000000234ea-615.dat family_berbew behavioral2/files/0x000700000002355f-1031.dat family_berbew behavioral2/files/0x0007000000023563-1046.dat family_berbew behavioral2/files/0x000700000002356d-1080.dat family_berbew behavioral2/files/0x0007000000023573-1098.dat family_berbew behavioral2/files/0x0007000000023579-1120.dat family_berbew behavioral2/files/0x000700000002357d-1133.dat family_berbew behavioral2/files/0x000700000002358f-1193.dat family_berbew behavioral2/files/0x000700000002359f-1244.dat family_berbew behavioral2/files/0x00070000000235bb-1334.dat family_berbew behavioral2/files/0x00070000000235c1-1352.dat family_berbew behavioral2/files/0x00070000000235cd-1393.dat family_berbew behavioral2/files/0x00070000000235d7-1426.dat family_berbew behavioral2/files/0x00070000000235dd-1447.dat family_berbew behavioral2/files/0x00070000000235e5-1474.dat family_berbew behavioral2/files/0x00070000000235eb-1494.dat family_berbew behavioral2/files/0x00070000000235ef-1508.dat family_berbew behavioral2/files/0x00070000000235f3-1522.dat family_berbew behavioral2/files/0x00070000000235ff-1564.dat family_berbew behavioral2/files/0x0007000000023605-1585.dat family_berbew behavioral2/files/0x0007000000023609-1599.dat family_berbew behavioral2/files/0x0007000000023615-1641.dat family_berbew behavioral2/files/0x0007000000023619-1655.dat family_berbew behavioral2/files/0x000700000002361f-1676.dat family_berbew behavioral2/files/0x0007000000023627-1704.dat family_berbew behavioral2/files/0x000700000002362b-1717.dat family_berbew behavioral2/files/0x0007000000023631-1737.dat family_berbew behavioral2/files/0x0007000000023643-1800.dat family_berbew behavioral2/files/0x000700000002364d-1835.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 692 Onmhgb32.exe 3092 Odgqdlnj.exe 4464 Peimil32.exe 2992 Pkceffcd.exe 32 Pcojkhap.exe 3828 Pkfblfab.exe 1792 Pcagphom.exe 2420 Pnfkma32.exe 3764 Paegjl32.exe 3008 Pjmlbbdg.exe 5048 Qecppkdm.exe 2456 Qkmhlekj.exe 1732 Qbgqio32.exe 4692 Qchmagie.exe 3612 Qnnanphk.exe 372 Agffge32.exe 4004 Ajdbcano.exe 3356 Acmflf32.exe 1336 Anbkio32.exe 2628 Ahkobekf.exe 8 Aacckjaf.exe 3544 Ahmlgd32.exe 2240 Abbpem32.exe 4908 Alkdnboj.exe 3136 Becifhfj.exe 1684 Blmacb32.exe 3980 Bjbndobo.exe 2488 Behbag32.exe 4732 Blbknaib.exe 4244 Bejogg32.exe 4684 Bjghpn32.exe 1876 Bdolhc32.exe 228 Cbqlfkmi.exe 536 Cdainc32.exe 696 Cogmkl32.exe 2152 Ceaehfjj.exe 5012 Cknnpm32.exe 3152 Cahfmgoo.exe 2724 Clnjjpod.exe 5004 Cbgbgj32.exe 1464 Cdiooblp.exe 3372 Cbjoljdo.exe 1460 Camphf32.exe 4748 Cdkldb32.exe 1096 Doqpak32.exe 4308 Daolnf32.exe 1128 Ddmhja32.exe 1860 Dkgqfl32.exe 1688 Daaicfgd.exe 1088 Ddpeoafg.exe 4548 Dkjmlk32.exe 3340 Dbaemi32.exe 3088 Deoaid32.exe 4844 Dlijfneg.exe 3804 Dohfbj32.exe 3176 Dddojq32.exe 1184 Dllfkn32.exe 1508 Dojcgi32.exe 4772 Dahode32.exe 456 Ddgkpp32.exe 1100 Dlncan32.exe 4728 Eolpmi32.exe 3148 Eefhjc32.exe 4460 Ekcpbj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Keoakjca.dll Ceaehfjj.exe File opened for modification C:\Windows\SysWOW64\Nohehq32.exe Nhnlkfpp.exe File created C:\Windows\SysWOW64\Mdeodj32.dll Ljhefhha.exe File created C:\Windows\SysWOW64\Ppnenlka.exe Process not Found File created C:\Windows\SysWOW64\Dlijfneg.exe Deoaid32.exe File created C:\Windows\SysWOW64\Aokcklid.exe Qhakoa32.exe File opened for modification C:\Windows\SysWOW64\Lljklo32.exe Process not Found File created C:\Windows\SysWOW64\Mfeeabda.exe Process not Found File created C:\Windows\SysWOW64\Ccbolagk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pcojkhap.exe Pkceffcd.exe File created C:\Windows\SysWOW64\Dbagnedl.dll Pjhlml32.exe File created C:\Windows\SysWOW64\Ggeboaob.exe Gdgfce32.exe File opened for modification C:\Windows\SysWOW64\Agbkmijg.exe Aokcklid.exe File opened for modification C:\Windows\SysWOW64\Lnbklm32.exe Lieccf32.exe File created C:\Windows\SysWOW64\Mkfefigf.dll Process not Found File created C:\Windows\SysWOW64\Ckdkhq32.exe Process not Found File created C:\Windows\SysWOW64\Bcfmgfde.dll Dlijfneg.exe File created C:\Windows\SysWOW64\Hmhhehlb.exe Heapdjlp.exe File opened for modification C:\Windows\SysWOW64\Aojlaeei.exe Ahqddk32.exe File created C:\Windows\SysWOW64\Kggcnoic.exe Kclgmq32.exe File opened for modification C:\Windows\SysWOW64\Mcaipa32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nbnlaldg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nbphglbe.exe Process not Found File created C:\Windows\SysWOW64\Ginlmijp.dll Loglacfo.exe File created C:\Windows\SysWOW64\Fngbbg32.dll Lgkpdcmi.exe File created C:\Windows\SysWOW64\Oldamm32.exe Oifeab32.exe File created C:\Windows\SysWOW64\Fplpll32.exe Fibhpbea.exe File created C:\Windows\SysWOW64\Jjpode32.exe Process not Found File created C:\Windows\SysWOW64\Cpbjkn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gnnccl32.exe Process not Found File created C:\Windows\SysWOW64\Qnnanphk.exe Qchmagie.exe File created C:\Windows\SysWOW64\Agiamhdo.exe Aqoiqn32.exe File opened for modification C:\Windows\SysWOW64\Gpnmbl32.exe Fmpqfq32.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Process not Found File created C:\Windows\SysWOW64\Ljcpchlo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kjeiodek.exe Process not Found File opened for modification C:\Windows\SysWOW64\Amqhbe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Glfmgp32.exe Process not Found File created C:\Windows\SysWOW64\Bjmkmfbo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe Process not Found File created C:\Windows\SysWOW64\Kfjhkjle.exe Jmbdbd32.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Bmdjdfgl.dll Fkihnmhj.exe File created C:\Windows\SysWOW64\Ifaciolc.dll Process not Found File created C:\Windows\SysWOW64\Iblhpckf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Process not Found File created C:\Windows\SysWOW64\Jpbhgp32.dll Process not Found File created C:\Windows\SysWOW64\Kmdjdl32.dll Deokon32.exe File opened for modification C:\Windows\SysWOW64\Lpbopfag.exe Lhkgoiqe.exe File created C:\Windows\SysWOW64\Epcdqd32.exe Emehdh32.exe File created C:\Windows\SysWOW64\Blickdlj.dll Ejchhgid.exe File created C:\Windows\SysWOW64\Appnje32.dll Jjafok32.exe File created C:\Windows\SysWOW64\Ilkojc32.dll Peimil32.exe File created C:\Windows\SysWOW64\Anbkio32.exe Acmflf32.exe File opened for modification C:\Windows\SysWOW64\Knippe32.exe Kimghn32.exe File opened for modification C:\Windows\SysWOW64\Jgkmgk32.exe Process not Found File created C:\Windows\SysWOW64\Hclkag32.dll Process not Found File created C:\Windows\SysWOW64\Apmpkall.dll Process not Found File created C:\Windows\SysWOW64\Gcfqfc32.exe Gkoiefmj.exe File opened for modification C:\Windows\SysWOW64\Bfendmoc.exe Bkoigdom.exe File opened for modification C:\Windows\SysWOW64\Dpdaepai.exe Dmfeidbe.exe File opened for modification C:\Windows\SysWOW64\Hmlpaoaj.exe Gipdap32.exe File created C:\Windows\SysWOW64\Kqmfklog.dll Alkijdci.exe File created C:\Windows\SysWOW64\Klndfj32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 14524 14912 Process not Found 1635 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieefiiml.dll" Nookip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plndcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll" Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkeodaai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qikgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Helbbkkj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikaggmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgndoeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcjfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaafjamj.dll" Eoekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacibgbo.dll" Nipekiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjekecm.dll" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdjqkoj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlpfgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfogeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoema32.dll" Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdbgdbg.dll" Gmcdffmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaajed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdomd32.dll" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaelmc32.dll" Ahmlgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcblpdgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panjjlqo.dll" Qbgqio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll" Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll" Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidcecbj.dll" Pjjahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabbod32.dll" Efkphnbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaamlecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkgabfn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefqkm32.dll" Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpnkama.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3328 wrote to memory of 692 3328 2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe 82 PID 3328 wrote to memory of 692 3328 2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe 82 PID 3328 wrote to memory of 692 3328 2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe 82 PID 692 wrote to memory of 3092 692 Onmhgb32.exe 83 PID 692 wrote to memory of 3092 692 Onmhgb32.exe 83 PID 692 wrote to memory of 3092 692 Onmhgb32.exe 83 PID 3092 wrote to memory of 4464 3092 Odgqdlnj.exe 84 PID 3092 wrote to memory of 4464 3092 Odgqdlnj.exe 84 PID 3092 wrote to memory of 4464 3092 Odgqdlnj.exe 84 PID 4464 wrote to memory of 2992 4464 Peimil32.exe 85 PID 4464 wrote to memory of 2992 4464 Peimil32.exe 85 PID 4464 wrote to memory of 2992 4464 Peimil32.exe 85 PID 2992 wrote to memory of 32 2992 Pkceffcd.exe 87 PID 2992 wrote to memory of 32 2992 Pkceffcd.exe 87 PID 2992 wrote to memory of 32 2992 Pkceffcd.exe 87 PID 32 wrote to memory of 3828 32 Pcojkhap.exe 88 PID 32 wrote to memory of 3828 32 Pcojkhap.exe 88 PID 32 wrote to memory of 3828 32 Pcojkhap.exe 88 PID 3828 wrote to memory of 1792 3828 Pkfblfab.exe 90 PID 3828 wrote to memory of 1792 3828 Pkfblfab.exe 90 PID 3828 wrote to memory of 1792 3828 Pkfblfab.exe 90 PID 1792 wrote to memory of 2420 1792 Pcagphom.exe 91 PID 1792 wrote to memory of 2420 1792 Pcagphom.exe 91 PID 1792 wrote to memory of 2420 1792 Pcagphom.exe 91 PID 2420 wrote to memory of 3764 2420 Pnfkma32.exe 92 PID 2420 wrote to memory of 3764 2420 Pnfkma32.exe 92 PID 2420 wrote to memory of 3764 2420 Pnfkma32.exe 92 PID 3764 wrote to memory of 3008 3764 Paegjl32.exe 94 PID 3764 wrote to memory of 3008 3764 Paegjl32.exe 94 PID 3764 wrote to memory of 3008 3764 Paegjl32.exe 94 PID 3008 wrote to memory of 5048 3008 Pjmlbbdg.exe 95 PID 3008 wrote to memory of 5048 3008 Pjmlbbdg.exe 95 PID 3008 wrote to memory of 5048 3008 Pjmlbbdg.exe 95 PID 5048 wrote to memory of 2456 5048 Qecppkdm.exe 96 PID 5048 wrote to memory of 2456 5048 Qecppkdm.exe 96 PID 5048 wrote to memory of 2456 5048 Qecppkdm.exe 96 PID 2456 wrote to memory of 1732 2456 Qkmhlekj.exe 97 PID 2456 wrote to memory of 1732 2456 Qkmhlekj.exe 97 PID 2456 wrote to memory of 1732 2456 Qkmhlekj.exe 97 PID 1732 wrote to memory of 4692 1732 Qbgqio32.exe 98 PID 1732 wrote to memory of 4692 1732 Qbgqio32.exe 98 PID 1732 wrote to memory of 4692 1732 Qbgqio32.exe 98 PID 4692 wrote to memory of 3612 4692 Qchmagie.exe 99 PID 4692 wrote to memory of 3612 4692 Qchmagie.exe 99 PID 4692 wrote to memory of 3612 4692 Qchmagie.exe 99 PID 3612 wrote to memory of 372 3612 Qnnanphk.exe 100 PID 3612 wrote to memory of 372 3612 Qnnanphk.exe 100 PID 3612 wrote to memory of 372 3612 Qnnanphk.exe 100 PID 372 wrote to memory of 4004 372 Agffge32.exe 101 PID 372 wrote to memory of 4004 372 Agffge32.exe 101 PID 372 wrote to memory of 4004 372 Agffge32.exe 101 PID 4004 wrote to memory of 3356 4004 Ajdbcano.exe 102 PID 4004 wrote to memory of 3356 4004 Ajdbcano.exe 102 PID 4004 wrote to memory of 3356 4004 Ajdbcano.exe 102 PID 3356 wrote to memory of 1336 3356 Acmflf32.exe 103 PID 3356 wrote to memory of 1336 3356 Acmflf32.exe 103 PID 3356 wrote to memory of 1336 3356 Acmflf32.exe 103 PID 1336 wrote to memory of 2628 1336 Anbkio32.exe 104 PID 1336 wrote to memory of 2628 1336 Anbkio32.exe 104 PID 1336 wrote to memory of 2628 1336 Anbkio32.exe 104 PID 2628 wrote to memory of 8 2628 Ahkobekf.exe 105 PID 2628 wrote to memory of 8 2628 Ahkobekf.exe 105 PID 2628 wrote to memory of 8 2628 Ahkobekf.exe 105 PID 8 wrote to memory of 3544 8 Aacckjaf.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2f7b4c3e4c1ee555ca453bdc532b4b60_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe24⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe25⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe26⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe27⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe28⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe29⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe30⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe31⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe32⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe33⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe34⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe35⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe36⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe38⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe39⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe41⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe42⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe43⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe44⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe45⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe46⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe47⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe49⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe50⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe51⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe52⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe53⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe56⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe57⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe59⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe60⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe61⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe62⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe63⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe64⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe65⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe66⤵PID:2512
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe67⤵PID:1456
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe68⤵PID:4332
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe69⤵PID:1764
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe70⤵PID:4284
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe71⤵PID:5044
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe72⤵PID:2784
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe73⤵PID:4764
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe74⤵PID:1416
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe75⤵PID:3896
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe76⤵PID:3552
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe77⤵
- Modifies registry class
PID:3352 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe78⤵PID:1244
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe79⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe80⤵PID:4952
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe81⤵PID:4140
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe82⤵PID:4024
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe83⤵PID:3524
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe84⤵
- Modifies registry class
PID:3200 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe85⤵PID:912
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe86⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe87⤵PID:2376
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe88⤵PID:920
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe89⤵PID:4564
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe90⤵PID:2952
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe91⤵PID:3892
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe92⤵PID:2856
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe93⤵PID:1700
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe94⤵PID:1172
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe95⤵PID:996
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe96⤵PID:1576
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe97⤵PID:5132
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe98⤵PID:5172
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe99⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe100⤵PID:5268
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe101⤵PID:5312
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe102⤵PID:5348
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe104⤵PID:5444
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe105⤵PID:5492
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe106⤵PID:5532
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe107⤵PID:5572
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe108⤵PID:5624
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe109⤵PID:5668
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe110⤵PID:5712
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe111⤵PID:5748
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe112⤵PID:5800
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe113⤵PID:5840
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe114⤵PID:5884
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe115⤵PID:5928
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe116⤵PID:5972
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe117⤵PID:6020
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe118⤵PID:6056
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe119⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe120⤵PID:4148
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe121⤵PID:5156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-