Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:23
Behavioral task
behavioral1
Sample
54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe
-
Size
548KB
-
MD5
076e0f1e6e8291050e9bae2d0aee6ba0
-
SHA1
7643b4443b3f4cc3c07aa76ae92ed3445fad2927
-
SHA256
54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26
-
SHA512
b5b24964330f0d9ffab406cbfdd6a259df25fa2e45a0d0c63ac02dd3491d3749298226c32408520853d08c7c26dbc9f0e46942109538e968921dcbe8760a7aa9
-
SSDEEP
12288:pIv+vP6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:WGq5htaSHFaZRBEYyqmaf2qwiHPKgRCW
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feocelll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgldfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelfmaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncgmkmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqkill32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akepfpcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcojkhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojcgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcadhgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpkiph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mleoafmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00070000000232a4-7.dat family_berbew behavioral2/files/0x0007000000023440-15.dat family_berbew behavioral2/files/0x0007000000023442-24.dat family_berbew behavioral2/files/0x0007000000023445-31.dat family_berbew behavioral2/files/0x0007000000023447-39.dat family_berbew behavioral2/files/0x0007000000023449-47.dat family_berbew behavioral2/files/0x000700000002344b-56.dat family_berbew behavioral2/files/0x000700000002344d-64.dat family_berbew behavioral2/files/0x000700000002344f-71.dat family_berbew behavioral2/files/0x0007000000023451-79.dat family_berbew behavioral2/files/0x0007000000023453-87.dat family_berbew behavioral2/files/0x0007000000023455-95.dat family_berbew behavioral2/files/0x0007000000023457-103.dat family_berbew behavioral2/files/0x000a000000023438-111.dat family_berbew behavioral2/files/0x000700000002345a-119.dat family_berbew behavioral2/files/0x000700000002345c-127.dat family_berbew behavioral2/files/0x000700000002345e-135.dat family_berbew behavioral2/files/0x0007000000023461-143.dat family_berbew behavioral2/files/0x0007000000023463-151.dat family_berbew behavioral2/files/0x0007000000023465-159.dat family_berbew behavioral2/files/0x0007000000023469-175.dat family_berbew behavioral2/files/0x000700000002346d-190.dat family_berbew behavioral2/files/0x000700000002346f-197.dat family_berbew behavioral2/files/0x0007000000023475-217.dat family_berbew behavioral2/files/0x0007000000023477-225.dat family_berbew behavioral2/files/0x000700000002347b-238.dat family_berbew behavioral2/files/0x000700000002347d-246.dat family_berbew behavioral2/files/0x0007000000023479-232.dat family_berbew behavioral2/files/0x0007000000023473-211.dat family_berbew behavioral2/files/0x0007000000023471-204.dat family_berbew behavioral2/files/0x000700000002346b-183.dat family_berbew behavioral2/files/0x0007000000023467-168.dat family_berbew behavioral2/files/0x00070000000234c3-458.dat family_berbew behavioral2/files/0x00070000000234cf-497.dat family_berbew behavioral2/files/0x0007000000023535-848.dat family_berbew behavioral2/files/0x0007000000023543-911.dat family_berbew behavioral2/files/0x0007000000023584-1139.dat family_berbew behavioral2/files/0x00070000000235ad-1268.dat family_berbew behavioral2/files/0x00070000000235cd-1372.dat family_berbew behavioral2/files/0x00070000000235d5-1398.dat family_berbew behavioral2/files/0x00070000000235e5-1451.dat family_berbew behavioral2/files/0x00070000000235f7-1507.dat family_berbew behavioral2/files/0x00070000000235fc-1526.dat family_berbew behavioral2/files/0x0007000000023600-1540.dat family_berbew behavioral2/files/0x0007000000023604-1552.dat family_berbew behavioral2/files/0x000700000002360c-1577.dat family_berbew behavioral2/files/0x0007000000023610-1591.dat family_berbew behavioral2/files/0x0007000000023614-1603.dat family_berbew behavioral2/files/0x0007000000023621-1643.dat family_berbew behavioral2/files/0x0007000000023631-1695.dat family_berbew behavioral2/files/0x0007000000023635-1708.dat family_berbew behavioral2/files/0x0007000000023639-1721.dat family_berbew behavioral2/files/0x0007000000023644-1747.dat family_berbew behavioral2/files/0x0007000000023661-1835.dat family_berbew behavioral2/files/0x000700000002366c-1868.dat family_berbew behavioral2/files/0x000700000002367a-1915.dat family_berbew behavioral2/files/0x0007000000023681-1938.dat family_berbew behavioral2/files/0x00070000000236b4-2122.dat family_berbew behavioral2/files/0x00070000000236ba-2146.dat family_berbew behavioral2/files/0x00070000000236cc-2208.dat family_berbew behavioral2/files/0x0008000000023686-2241.dat family_berbew behavioral2/files/0x0007000000023709-2439.dat family_berbew behavioral2/files/0x000700000002370f-2459.dat family_berbew behavioral2/files/0x0007000000023719-2491.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3016 Njfmke32.exe 4700 Nqpego32.exe 4140 Okeieh32.exe 1780 Ojjffddl.exe 4324 Occkojkm.exe 1676 Oqgkhnjf.exe 2184 Ocegdjij.exe 1320 Onklabip.exe 2064 Oqihnn32.exe 2520 Pgemphmn.exe 3940 Pqnaim32.exe 1592 Pjffbc32.exe 5072 Pcojkhap.exe 4336 Pndohaqe.exe 2068 Pabkdmpi.exe 1728 Pkhoae32.exe 2668 Peqcjkfp.exe 2028 Pkjlge32.exe 4152 Qecppkdm.exe 3048 Qgallfcq.exe 852 Qjpiha32.exe 2836 Qnkdhpjn.exe 2376 Qajadlja.exe 528 Qeemej32.exe 3632 Qchmagie.exe 3772 Qloebdig.exe 212 Qjbena32.exe 932 Qnnanphk.exe 4176 Qalnjkgo.exe 2968 Aegikj32.exe 1444 Agffge32.exe 4604 Alabgd32.exe 4024 Ajdbcano.exe 3036 Abkjdnoa.exe 2876 Aanjpk32.exe 3216 Aejfpjne.exe 1096 Ahhblemi.exe 5084 Aldomc32.exe 1616 Ajfoiqll.exe 756 Abngjnmo.exe 3648 Aaqgek32.exe 2616 Aelcfilb.exe 2592 Ahkobekf.exe 4960 Alfkbc32.exe 2312 Andgoobc.exe 1912 Abpcon32.exe 3096 Aacckjaf.exe 2352 Adapgfqj.exe 4980 Ahmlgd32.exe 4672 Ajkhdp32.exe 4064 Angddopp.exe 1412 Aaepqjpd.exe 2824 Aealah32.exe 3640 Ahoimd32.exe 616 Alkdnboj.exe 1956 Aniajnnn.exe 3076 Bahmfj32.exe 1136 Becifhfj.exe 336 Bhaebcen.exe 1796 Blmacb32.exe 3012 Bjpaooda.exe 316 Bbgipldd.exe 2436 Blpnib32.exe 3832 Bjdkjo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ohfami32.exe Oeheqm32.exe File opened for modification C:\Windows\SysWOW64\Gdnjfojj.exe Process not Found File created C:\Windows\SysWOW64\Jiooia32.dll Ljkifn32.exe File created C:\Windows\SysWOW64\Lbbfpo32.dll Aodogdmn.exe File created C:\Windows\SysWOW64\Kjmfjj32.exe Kdpmbc32.exe File opened for modification C:\Windows\SysWOW64\Lcggio32.exe Lqikmc32.exe File created C:\Windows\SysWOW64\Pfhfan32.exe Pcijeb32.exe File created C:\Windows\SysWOW64\Fknofqcc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Maggnali.exe Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Afpjel32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Damfao32.exe Process not Found File created C:\Windows\SysWOW64\Mcaipa32.exe Process not Found File created C:\Windows\SysWOW64\Gofkje32.exe Glhonj32.exe File opened for modification C:\Windows\SysWOW64\Hbpgbo32.exe Hobkfd32.exe File created C:\Windows\SysWOW64\Nookip32.exe Nibbqicm.exe File opened for modification C:\Windows\SysWOW64\Legjmh32.exe Lnnbqnjn.exe File created C:\Windows\SysWOW64\Apggckbf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ldikgdpe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Diccgfpd.exe Dfefkkqp.exe File opened for modification C:\Windows\SysWOW64\Nmlddqem.exe Njmhhefi.exe File created C:\Windows\SysWOW64\Ifenan32.dll Process not Found File created C:\Windows\SysWOW64\Pjkakfla.dll Process not Found File created C:\Windows\SysWOW64\Fobdihjo.dll Clbceo32.exe File created C:\Windows\SysWOW64\Fkihnmhj.exe Edopabqn.exe File created C:\Windows\SysWOW64\Hpbiip32.exe Hgiepjga.exe File opened for modification C:\Windows\SysWOW64\Hpbiip32.exe Hgiepjga.exe File opened for modification C:\Windows\SysWOW64\Ggmmlamj.exe Process not Found File created C:\Windows\SysWOW64\Ijcomn32.dll Process not Found File created C:\Windows\SysWOW64\Dakdmb32.dll Gpnmbl32.exe File created C:\Windows\SysWOW64\Jgmjmjnb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bdojjo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ekonpckp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gdppbfff.exe Gochjpho.exe File created C:\Windows\SysWOW64\Demnop32.dll Ggqida32.exe File opened for modification C:\Windows\SysWOW64\Hkehkocf.exe Hdlpneli.exe File opened for modification C:\Windows\SysWOW64\Qadoba32.exe Qcaofebg.exe File opened for modification C:\Windows\SysWOW64\Jlbejloe.exe Process not Found File created C:\Windows\SysWOW64\Pimfpc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Binhnomg.exe Process not Found File created C:\Windows\SysWOW64\Bipecnkd.exe Process not Found File created C:\Windows\SysWOW64\Pciqnk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pndohaqe.exe Pcojkhap.exe File opened for modification C:\Windows\SysWOW64\Hofmfmhj.exe Hfningai.exe File created C:\Windows\SysWOW64\Dabhdinj.exe Dikpbl32.exe File created C:\Windows\SysWOW64\Gdidcm32.dll Oeoblb32.exe File created C:\Windows\SysWOW64\Fqikob32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qchmagie.exe Qeemej32.exe File created C:\Windows\SysWOW64\Blfdia32.exe Bbnpqk32.exe File created C:\Windows\SysWOW64\Kldggoeb.dll Fojlngce.exe File opened for modification C:\Windows\SysWOW64\Gkkgpc32.exe Gbdoof32.exe File opened for modification C:\Windows\SysWOW64\Hobkfd32.exe Hkfoeega.exe File opened for modification C:\Windows\SysWOW64\Jjmcnbdm.exe Jgogbgei.exe File opened for modification C:\Windows\SysWOW64\Nlhkgi32.exe Ncabfkqo.exe File created C:\Windows\SysWOW64\Lfeljd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bjagjhnc.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Lmaamn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkhoae32.exe Pabkdmpi.exe File created C:\Windows\SysWOW64\Abkjdnoa.exe Ajdbcano.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Ipnjab32.exe File created C:\Windows\SysWOW64\Jeklag32.exe Jblpek32.exe File created C:\Windows\SysWOW64\Geqnma32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oqklkbbi.exe Process not Found File created C:\Windows\SysWOW64\Ioeeep32.dll Aealah32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4412 15012 Process not Found 1807 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Podmkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nomncpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjjac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qajadlja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckeoeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blhdmebn.dll" Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll" Ligqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll" Nckndeni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oponmilc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecegjob.dll" Kpdboimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgiiak32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkcboack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kndojobi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgmcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlkdj32.dll" Pkegpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpocngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dammlf32.dll" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himnbjpd.dll" Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcfmgfde.dll" Dkljak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpld32.dll" Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobfk32.dll" Allpejfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agffge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Becifhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igoedk32.dll" Eoolbinc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll" Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejldilhc.dll" Jghabl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokcklid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll" Nmnqjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpbmco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2816 wrote to memory of 3016 2816 54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe 83 PID 2816 wrote to memory of 3016 2816 54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe 83 PID 2816 wrote to memory of 3016 2816 54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe 83 PID 3016 wrote to memory of 4700 3016 Njfmke32.exe 84 PID 3016 wrote to memory of 4700 3016 Njfmke32.exe 84 PID 3016 wrote to memory of 4700 3016 Njfmke32.exe 84 PID 4700 wrote to memory of 4140 4700 Nqpego32.exe 85 PID 4700 wrote to memory of 4140 4700 Nqpego32.exe 85 PID 4700 wrote to memory of 4140 4700 Nqpego32.exe 85 PID 4140 wrote to memory of 1780 4140 Okeieh32.exe 86 PID 4140 wrote to memory of 1780 4140 Okeieh32.exe 86 PID 4140 wrote to memory of 1780 4140 Okeieh32.exe 86 PID 1780 wrote to memory of 4324 1780 Ojjffddl.exe 87 PID 1780 wrote to memory of 4324 1780 Ojjffddl.exe 87 PID 1780 wrote to memory of 4324 1780 Ojjffddl.exe 87 PID 4324 wrote to memory of 1676 4324 Occkojkm.exe 88 PID 4324 wrote to memory of 1676 4324 Occkojkm.exe 88 PID 4324 wrote to memory of 1676 4324 Occkojkm.exe 88 PID 1676 wrote to memory of 2184 1676 Oqgkhnjf.exe 89 PID 1676 wrote to memory of 2184 1676 Oqgkhnjf.exe 89 PID 1676 wrote to memory of 2184 1676 Oqgkhnjf.exe 89 PID 2184 wrote to memory of 1320 2184 Ocegdjij.exe 90 PID 2184 wrote to memory of 1320 2184 Ocegdjij.exe 90 PID 2184 wrote to memory of 1320 2184 Ocegdjij.exe 90 PID 1320 wrote to memory of 2064 1320 Onklabip.exe 91 PID 1320 wrote to memory of 2064 1320 Onklabip.exe 91 PID 1320 wrote to memory of 2064 1320 Onklabip.exe 91 PID 2064 wrote to memory of 2520 2064 Oqihnn32.exe 92 PID 2064 wrote to memory of 2520 2064 Oqihnn32.exe 92 PID 2064 wrote to memory of 2520 2064 Oqihnn32.exe 92 PID 2520 wrote to memory of 3940 2520 Pgemphmn.exe 94 PID 2520 wrote to memory of 3940 2520 Pgemphmn.exe 94 PID 2520 wrote to memory of 3940 2520 Pgemphmn.exe 94 PID 3940 wrote to memory of 1592 3940 Pqnaim32.exe 95 PID 3940 wrote to memory of 1592 3940 Pqnaim32.exe 95 PID 3940 wrote to memory of 1592 3940 Pqnaim32.exe 95 PID 1592 wrote to memory of 5072 1592 Pjffbc32.exe 97 PID 1592 wrote to memory of 5072 1592 Pjffbc32.exe 97 PID 1592 wrote to memory of 5072 1592 Pjffbc32.exe 97 PID 5072 wrote to memory of 4336 5072 Pcojkhap.exe 98 PID 5072 wrote to memory of 4336 5072 Pcojkhap.exe 98 PID 5072 wrote to memory of 4336 5072 Pcojkhap.exe 98 PID 4336 wrote to memory of 2068 4336 Pndohaqe.exe 99 PID 4336 wrote to memory of 2068 4336 Pndohaqe.exe 99 PID 4336 wrote to memory of 2068 4336 Pndohaqe.exe 99 PID 2068 wrote to memory of 1728 2068 Pabkdmpi.exe 100 PID 2068 wrote to memory of 1728 2068 Pabkdmpi.exe 100 PID 2068 wrote to memory of 1728 2068 Pabkdmpi.exe 100 PID 1728 wrote to memory of 2668 1728 Pkhoae32.exe 101 PID 1728 wrote to memory of 2668 1728 Pkhoae32.exe 101 PID 1728 wrote to memory of 2668 1728 Pkhoae32.exe 101 PID 2668 wrote to memory of 2028 2668 Peqcjkfp.exe 102 PID 2668 wrote to memory of 2028 2668 Peqcjkfp.exe 102 PID 2668 wrote to memory of 2028 2668 Peqcjkfp.exe 102 PID 2028 wrote to memory of 4152 2028 Pkjlge32.exe 104 PID 2028 wrote to memory of 4152 2028 Pkjlge32.exe 104 PID 2028 wrote to memory of 4152 2028 Pkjlge32.exe 104 PID 4152 wrote to memory of 3048 4152 Qecppkdm.exe 105 PID 4152 wrote to memory of 3048 4152 Qecppkdm.exe 105 PID 4152 wrote to memory of 3048 4152 Qecppkdm.exe 105 PID 3048 wrote to memory of 852 3048 Qgallfcq.exe 106 PID 3048 wrote to memory of 852 3048 Qgallfcq.exe 106 PID 3048 wrote to memory of 852 3048 Qgallfcq.exe 106 PID 852 wrote to memory of 2836 852 Qjpiha32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54b881c52b01376e734d60e7210d2c9850182ab32cc32bf63b2fe02b44698d26_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe23⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe26⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe27⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe28⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe29⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe30⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe31⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe33⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe35⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe36⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe37⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe38⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe39⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe40⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe41⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe42⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe43⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe44⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe45⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe46⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe47⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe48⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe49⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe50⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe51⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe52⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe53⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe55⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe56⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe57⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe58⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe60⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe61⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe62⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe63⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe64⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe65⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe66⤵PID:4004
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe67⤵PID:2512
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe68⤵PID:3692
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe69⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe70⤵PID:2980
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe71⤵PID:4412
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe72⤵PID:4516
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe73⤵PID:4996
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe74⤵PID:1400
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe75⤵PID:1632
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe76⤵PID:3988
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe77⤵PID:4556
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe78⤵PID:1344
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe79⤵PID:4908
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe80⤵PID:4288
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe81⤵PID:4264
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe82⤵PID:4568
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe83⤵PID:4236
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe84⤵PID:1448
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe85⤵PID:3380
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe86⤵PID:4864
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe87⤵PID:2116
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe88⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe89⤵PID:2760
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe90⤵PID:400
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe91⤵PID:5024
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe92⤵PID:5156
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe93⤵PID:5196
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe94⤵PID:5236
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe95⤵PID:5276
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe96⤵PID:5312
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe97⤵PID:5356
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe98⤵PID:5396
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe99⤵PID:5444
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe100⤵
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe101⤵PID:5524
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe102⤵PID:5568
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe103⤵PID:5604
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe104⤵PID:5656
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe105⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe107⤵PID:5776
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe108⤵PID:5820
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe109⤵PID:5856
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe110⤵PID:5908
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe111⤵PID:5952
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe112⤵PID:5988
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe113⤵PID:6036
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe114⤵PID:6072
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe115⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe116⤵PID:816
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe117⤵PID:5192
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe118⤵PID:5256
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe119⤵PID:5324
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe120⤵PID:5384
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe121⤵PID:5460
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe122⤵PID:5536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-