Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 12:45
Static task
static1
Behavioral task
behavioral1
Sample
7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe
-
Size
141KB
-
MD5
7d4e811a1aea2dc42ab2a3882c013440
-
SHA1
086336c6fd53b839a0234763a67df16106afa276
-
SHA256
e0da8e4cb37982904155d625bcbde89039ff853bebeb645548ab872c983f59ee
-
SHA512
4dcf747045df6a2d520c612c9bfcf7c93190f94ec469965834d8e1a6b795c48b398f7c802e59f5a53166b1e5ff4504a6dc27b231d3aba31f3cd7b308b08c2664
-
SSDEEP
3072:arofnzm1F3wQ9bGCmBJFWpoPSkGFj/p7sW0l:arofnzm1F3N9bGCKJFtE/JK
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs
Processes:
Amelne32.exeOkoafmkm.exePnimnfpc.exePqjfoa32.exePoocpnbm.exeAfgkfl32.exeCfnmfn32.exeBiojif32.exeBhfcpb32.exeOhhkjp32.exePoapfn32.exeAniimjbo.exeBmclhi32.exeAeenochi.exeBjbcfn32.exePkidlk32.exeQeohnd32.exeAfnagk32.exeOdjbdb32.exeBkglameg.exeApalea32.exePgbafl32.exeBaadng32.exe7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exeQeaedd32.exeBnielm32.exeAcpdko32.exeAcfaeq32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amelne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoafmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnimnfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poocpnbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poapfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbcfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkidlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apalea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amelne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apalea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeaedd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poapfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbcfn32.exe -
Executes dropped EXE 28 IoCs
Processes:
Okoafmkm.exeOdjbdb32.exeOhhkjp32.exePkidlk32.exePnimnfpc.exePgbafl32.exePqjfoa32.exePoocpnbm.exePoapfn32.exeQeohnd32.exeQeaedd32.exeAniimjbo.exeAcfaeq32.exeAeenochi.exeAfgkfl32.exeApalea32.exeAmelne32.exeAcpdko32.exeAfnagk32.exeBnielm32.exeBiojif32.exeBjbcfn32.exeBhfcpb32.exeBmclhi32.exeBkglameg.exeBaadng32.exeCfnmfn32.exeCacacg32.exepid process 2948 Okoafmkm.exe 2624 Odjbdb32.exe 2604 Ohhkjp32.exe 2612 Pkidlk32.exe 2224 Pnimnfpc.exe 2572 Pgbafl32.exe 2472 Pqjfoa32.exe 2184 Poocpnbm.exe 840 Poapfn32.exe 1648 Qeohnd32.exe 1188 Qeaedd32.exe 568 Aniimjbo.exe 1816 Acfaeq32.exe 1732 Aeenochi.exe 1988 Afgkfl32.exe 3016 Apalea32.exe 1620 Amelne32.exe 2388 Acpdko32.exe 2120 Afnagk32.exe 1664 Bnielm32.exe 2460 Biojif32.exe 896 Bjbcfn32.exe 2032 Bhfcpb32.exe 2092 Bmclhi32.exe 1544 Bkglameg.exe 2944 Baadng32.exe 2052 Cfnmfn32.exe 2676 Cacacg32.exe -
Loads dropped DLL 60 IoCs
Processes:
7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exeOkoafmkm.exeOdjbdb32.exeOhhkjp32.exePkidlk32.exePnimnfpc.exePgbafl32.exePqjfoa32.exePoocpnbm.exePoapfn32.exeQeohnd32.exeQeaedd32.exeAniimjbo.exeAcfaeq32.exeAeenochi.exeAfgkfl32.exeApalea32.exeAmelne32.exeAcpdko32.exeAfnagk32.exeBnielm32.exeBiojif32.exeBjbcfn32.exeBhfcpb32.exeBmclhi32.exeBkglameg.exeBaadng32.exeCfnmfn32.exeWerFault.exepid process 2996 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe 2996 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe 2948 Okoafmkm.exe 2948 Okoafmkm.exe 2624 Odjbdb32.exe 2624 Odjbdb32.exe 2604 Ohhkjp32.exe 2604 Ohhkjp32.exe 2612 Pkidlk32.exe 2612 Pkidlk32.exe 2224 Pnimnfpc.exe 2224 Pnimnfpc.exe 2572 Pgbafl32.exe 2572 Pgbafl32.exe 2472 Pqjfoa32.exe 2472 Pqjfoa32.exe 2184 Poocpnbm.exe 2184 Poocpnbm.exe 840 Poapfn32.exe 840 Poapfn32.exe 1648 Qeohnd32.exe 1648 Qeohnd32.exe 1188 Qeaedd32.exe 1188 Qeaedd32.exe 568 Aniimjbo.exe 568 Aniimjbo.exe 1816 Acfaeq32.exe 1816 Acfaeq32.exe 1732 Aeenochi.exe 1732 Aeenochi.exe 1988 Afgkfl32.exe 1988 Afgkfl32.exe 3016 Apalea32.exe 3016 Apalea32.exe 1620 Amelne32.exe 1620 Amelne32.exe 2388 Acpdko32.exe 2388 Acpdko32.exe 2120 Afnagk32.exe 2120 Afnagk32.exe 1664 Bnielm32.exe 1664 Bnielm32.exe 2460 Biojif32.exe 2460 Biojif32.exe 896 Bjbcfn32.exe 896 Bjbcfn32.exe 2032 Bhfcpb32.exe 2032 Bhfcpb32.exe 2092 Bmclhi32.exe 2092 Bmclhi32.exe 1544 Bkglameg.exe 1544 Bkglameg.exe 2944 Baadng32.exe 2944 Baadng32.exe 2052 Cfnmfn32.exe 2052 Cfnmfn32.exe 2724 WerFault.exe 2724 WerFault.exe 2724 WerFault.exe 2724 WerFault.exe -
Drops file in System32 directory 64 IoCs
Processes:
Poapfn32.exeAniimjbo.exeAcfaeq32.exeAcpdko32.exeBmclhi32.exeCfnmfn32.exePkidlk32.exeBiojif32.exeOhhkjp32.exeQeohnd32.exeAeenochi.exeApalea32.exeBaadng32.exe7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exePnimnfpc.exeQeaedd32.exeAfgkfl32.exeOdjbdb32.exeBnielm32.exePqjfoa32.exeBjbcfn32.exeBhfcpb32.exePoocpnbm.exeBkglameg.exeAmelne32.exeAfnagk32.exeOkoafmkm.exePgbafl32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Qeohnd32.exe Poapfn32.exe File created C:\Windows\SysWOW64\Ljhcccai.dll Aniimjbo.exe File created C:\Windows\SysWOW64\Aeenochi.exe Acfaeq32.exe File created C:\Windows\SysWOW64\Mgjcep32.dll Acpdko32.exe File opened for modification C:\Windows\SysWOW64\Bkglameg.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Pnimnfpc.exe Pkidlk32.exe File created C:\Windows\SysWOW64\Hqlhpf32.dll Biojif32.exe File created C:\Windows\SysWOW64\Mdqfkmom.dll Bmclhi32.exe File created C:\Windows\SysWOW64\Faflglmh.dll Ohhkjp32.exe File created C:\Windows\SysWOW64\Qeaedd32.exe Qeohnd32.exe File created C:\Windows\SysWOW64\Cophek32.dll Aeenochi.exe File created C:\Windows\SysWOW64\Amelne32.exe Apalea32.exe File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe Baadng32.exe File created C:\Windows\SysWOW64\Mfbnoibb.dll 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Nlpdbghp.dll Pnimnfpc.exe File opened for modification C:\Windows\SysWOW64\Aniimjbo.exe Qeaedd32.exe File created C:\Windows\SysWOW64\Jmogdj32.dll Qeaedd32.exe File created C:\Windows\SysWOW64\Hbappj32.dll Afgkfl32.exe File created C:\Windows\SysWOW64\Cacacg32.exe Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Ohhkjp32.exe Odjbdb32.exe File created C:\Windows\SysWOW64\Ikhkppkn.dll Odjbdb32.exe File opened for modification C:\Windows\SysWOW64\Pkidlk32.exe Ohhkjp32.exe File created C:\Windows\SysWOW64\Pfnkga32.dll Qeohnd32.exe File created C:\Windows\SysWOW64\Mmdgdp32.dll Bnielm32.exe File created C:\Windows\SysWOW64\Imogmg32.dll Pqjfoa32.exe File created C:\Windows\SysWOW64\Eioojl32.dll Poapfn32.exe File opened for modification C:\Windows\SysWOW64\Aeenochi.exe Acfaeq32.exe File created C:\Windows\SysWOW64\Apalea32.exe Afgkfl32.exe File created C:\Windows\SysWOW64\Ebjnie32.dll Apalea32.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Bjbcfn32.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Bhfcpb32.exe File created C:\Windows\SysWOW64\Lbbjgn32.dll Poocpnbm.exe File created C:\Windows\SysWOW64\Aniimjbo.exe Qeaedd32.exe File created C:\Windows\SysWOW64\Afnagk32.exe Acpdko32.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Bhfcpb32.exe File created C:\Windows\SysWOW64\Baadng32.exe Bkglameg.exe File created C:\Windows\SysWOW64\Mabanhgg.dll Baadng32.exe File created C:\Windows\SysWOW64\Pkidlk32.exe Ohhkjp32.exe File opened for modification C:\Windows\SysWOW64\Afnagk32.exe Acpdko32.exe File created C:\Windows\SysWOW64\Bjbcfn32.exe Biojif32.exe File opened for modification C:\Windows\SysWOW64\Bhfcpb32.exe Bjbcfn32.exe File created C:\Windows\SysWOW64\Poapfn32.exe Poocpnbm.exe File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe Aniimjbo.exe File created C:\Windows\SysWOW64\Acpdko32.exe Amelne32.exe File opened for modification C:\Windows\SysWOW64\Acpdko32.exe Amelne32.exe File created C:\Windows\SysWOW64\Ecjdib32.dll Amelne32.exe File created C:\Windows\SysWOW64\Naaffn32.dll Acfaeq32.exe File opened for modification C:\Windows\SysWOW64\Bnielm32.exe Afnagk32.exe File created C:\Windows\SysWOW64\Ajcfjgdj.dll Okoafmkm.exe File created C:\Windows\SysWOW64\Pnimnfpc.exe Pkidlk32.exe File created C:\Windows\SysWOW64\Pgbafl32.exe Pnimnfpc.exe File opened for modification C:\Windows\SysWOW64\Pqjfoa32.exe Pgbafl32.exe File opened for modification C:\Windows\SysWOW64\Poocpnbm.exe Pqjfoa32.exe File opened for modification C:\Windows\SysWOW64\Amelne32.exe Apalea32.exe File opened for modification C:\Windows\SysWOW64\Bjbcfn32.exe Biojif32.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Bhfcpb32.exe File opened for modification C:\Windows\SysWOW64\Okoafmkm.exe 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Gneolbel.dll Pgbafl32.exe File created C:\Windows\SysWOW64\Acfaeq32.exe Aniimjbo.exe File opened for modification C:\Windows\SysWOW64\Apalea32.exe Afgkfl32.exe File created C:\Windows\SysWOW64\Ennlme32.dll Afnagk32.exe File opened for modification C:\Windows\SysWOW64\Baadng32.exe Bkglameg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 2724 2676 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Bkglameg.exeOdjbdb32.exeAmelne32.exePoapfn32.exeAfgkfl32.exeBmclhi32.exeCfnmfn32.exeOkoafmkm.exeOhhkjp32.exeBhfcpb32.exeAeenochi.exeQeaedd32.exe7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exePkidlk32.exePqjfoa32.exeBjbcfn32.exeBaadng32.exePgbafl32.exePoocpnbm.exeAcfaeq32.exeApalea32.exeBnielm32.exeBiojif32.exeAcpdko32.exePnimnfpc.exeAfnagk32.exeQeohnd32.exeAniimjbo.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjbdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll" Poapfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" Bkglameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll" Ohhkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" Amelne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll" Qeaedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqjfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" Bhfcpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmclhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkidlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll" Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" Apalea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" Biojif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll" Okoafmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnimnfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" Pgbafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll" Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkglameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnielm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll" Bjbcfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohhkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbcfn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exeOkoafmkm.exeOdjbdb32.exeOhhkjp32.exePkidlk32.exePnimnfpc.exePgbafl32.exePqjfoa32.exePoocpnbm.exePoapfn32.exeQeohnd32.exeQeaedd32.exeAniimjbo.exeAcfaeq32.exeAeenochi.exeAfgkfl32.exedescription pid process target process PID 2996 wrote to memory of 2948 2996 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Okoafmkm.exe PID 2996 wrote to memory of 2948 2996 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Okoafmkm.exe PID 2996 wrote to memory of 2948 2996 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Okoafmkm.exe PID 2996 wrote to memory of 2948 2996 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe Okoafmkm.exe PID 2948 wrote to memory of 2624 2948 Okoafmkm.exe Odjbdb32.exe PID 2948 wrote to memory of 2624 2948 Okoafmkm.exe Odjbdb32.exe PID 2948 wrote to memory of 2624 2948 Okoafmkm.exe Odjbdb32.exe PID 2948 wrote to memory of 2624 2948 Okoafmkm.exe Odjbdb32.exe PID 2624 wrote to memory of 2604 2624 Odjbdb32.exe Ohhkjp32.exe PID 2624 wrote to memory of 2604 2624 Odjbdb32.exe Ohhkjp32.exe PID 2624 wrote to memory of 2604 2624 Odjbdb32.exe Ohhkjp32.exe PID 2624 wrote to memory of 2604 2624 Odjbdb32.exe Ohhkjp32.exe PID 2604 wrote to memory of 2612 2604 Ohhkjp32.exe Pkidlk32.exe PID 2604 wrote to memory of 2612 2604 Ohhkjp32.exe Pkidlk32.exe PID 2604 wrote to memory of 2612 2604 Ohhkjp32.exe Pkidlk32.exe PID 2604 wrote to memory of 2612 2604 Ohhkjp32.exe Pkidlk32.exe PID 2612 wrote to memory of 2224 2612 Pkidlk32.exe Pnimnfpc.exe PID 2612 wrote to memory of 2224 2612 Pkidlk32.exe Pnimnfpc.exe PID 2612 wrote to memory of 2224 2612 Pkidlk32.exe Pnimnfpc.exe PID 2612 wrote to memory of 2224 2612 Pkidlk32.exe Pnimnfpc.exe PID 2224 wrote to memory of 2572 2224 Pnimnfpc.exe Pgbafl32.exe PID 2224 wrote to memory of 2572 2224 Pnimnfpc.exe Pgbafl32.exe PID 2224 wrote to memory of 2572 2224 Pnimnfpc.exe Pgbafl32.exe PID 2224 wrote to memory of 2572 2224 Pnimnfpc.exe Pgbafl32.exe PID 2572 wrote to memory of 2472 2572 Pgbafl32.exe Pqjfoa32.exe PID 2572 wrote to memory of 2472 2572 Pgbafl32.exe Pqjfoa32.exe PID 2572 wrote to memory of 2472 2572 Pgbafl32.exe Pqjfoa32.exe PID 2572 wrote to memory of 2472 2572 Pgbafl32.exe Pqjfoa32.exe PID 2472 wrote to memory of 2184 2472 Pqjfoa32.exe Poocpnbm.exe PID 2472 wrote to memory of 2184 2472 Pqjfoa32.exe Poocpnbm.exe PID 2472 wrote to memory of 2184 2472 Pqjfoa32.exe Poocpnbm.exe PID 2472 wrote to memory of 2184 2472 Pqjfoa32.exe Poocpnbm.exe PID 2184 wrote to memory of 840 2184 Poocpnbm.exe Poapfn32.exe PID 2184 wrote to memory of 840 2184 Poocpnbm.exe Poapfn32.exe PID 2184 wrote to memory of 840 2184 Poocpnbm.exe Poapfn32.exe PID 2184 wrote to memory of 840 2184 Poocpnbm.exe Poapfn32.exe PID 840 wrote to memory of 1648 840 Poapfn32.exe Qeohnd32.exe PID 840 wrote to memory of 1648 840 Poapfn32.exe Qeohnd32.exe PID 840 wrote to memory of 1648 840 Poapfn32.exe Qeohnd32.exe PID 840 wrote to memory of 1648 840 Poapfn32.exe Qeohnd32.exe PID 1648 wrote to memory of 1188 1648 Qeohnd32.exe Qeaedd32.exe PID 1648 wrote to memory of 1188 1648 Qeohnd32.exe Qeaedd32.exe PID 1648 wrote to memory of 1188 1648 Qeohnd32.exe Qeaedd32.exe PID 1648 wrote to memory of 1188 1648 Qeohnd32.exe Qeaedd32.exe PID 1188 wrote to memory of 568 1188 Qeaedd32.exe Aniimjbo.exe PID 1188 wrote to memory of 568 1188 Qeaedd32.exe Aniimjbo.exe PID 1188 wrote to memory of 568 1188 Qeaedd32.exe Aniimjbo.exe PID 1188 wrote to memory of 568 1188 Qeaedd32.exe Aniimjbo.exe PID 568 wrote to memory of 1816 568 Aniimjbo.exe Acfaeq32.exe PID 568 wrote to memory of 1816 568 Aniimjbo.exe Acfaeq32.exe PID 568 wrote to memory of 1816 568 Aniimjbo.exe Acfaeq32.exe PID 568 wrote to memory of 1816 568 Aniimjbo.exe Acfaeq32.exe PID 1816 wrote to memory of 1732 1816 Acfaeq32.exe Aeenochi.exe PID 1816 wrote to memory of 1732 1816 Acfaeq32.exe Aeenochi.exe PID 1816 wrote to memory of 1732 1816 Acfaeq32.exe Aeenochi.exe PID 1816 wrote to memory of 1732 1816 Acfaeq32.exe Aeenochi.exe PID 1732 wrote to memory of 1988 1732 Aeenochi.exe Afgkfl32.exe PID 1732 wrote to memory of 1988 1732 Aeenochi.exe Afgkfl32.exe PID 1732 wrote to memory of 1988 1732 Aeenochi.exe Afgkfl32.exe PID 1732 wrote to memory of 1988 1732 Aeenochi.exe Afgkfl32.exe PID 1988 wrote to memory of 3016 1988 Afgkfl32.exe Apalea32.exe PID 1988 wrote to memory of 3016 1988 Afgkfl32.exe Apalea32.exe PID 1988 wrote to memory of 3016 1988 Afgkfl32.exe Apalea32.exe PID 1988 wrote to memory of 3016 1988 Afgkfl32.exe Apalea32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Pnimnfpc.exeC:\Windows\system32\Pnimnfpc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Cacacg32.exeC:\Windows\system32\Cacacg32.exe29⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 14030⤵
- Loads dropped DLL
- Program crash
PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD540210b6cddb4597d6bbf5490992d26e9
SHA18e44d826afba7cf424d72f099d04658553cf988f
SHA256247a354e1e30ed19ecb5a22c611b369c0654f53a558492d83ea2960fd534ece8
SHA512dc8f3b3acad72f575f3f50366e69561afaba7f8d575b976f581ad33860a68b5f3d9b9fefa29a0877f86d5f74903c75f2d6ab16ca45cc7b7b24c4ddbf620450fb
-
Filesize
141KB
MD57a29503d9679cff55f88109984a10dcc
SHA116949b98b64037c4c6806a45c1b3a40a4f4af106
SHA2564859a18c2d1a1df22dbb3d396e571a9daae7a7ab3a1ce03fcf61d6e58120bcee
SHA51290e0d6018ad1ff682f62ace5759634422fb1fdd004dec590b208b04c74f573d56e11d6fe619b1621d19832f87f42870c9a08ae5320694630aebb166bbc5a64e8
-
Filesize
141KB
MD5f83b255acfa6c91a1d85aab1a5260254
SHA15a377449e7251211bb50b99d336d3883cdeb9792
SHA256ce2c7a59b899e7ff029a6fb5930bfbf58fd146d8efce00f4a96ba49fef496cd4
SHA512e00dcf9f29b0f3290e2c1824b18b297c28a9a6c4d8447f18308a26e156467a2769d37212205ade69eef9a3e8923b9e306f0e57ec71e97a9642e89be033fadbf6
-
Filesize
141KB
MD5611cbde340705f2689fa4bf269a04d92
SHA1b58eeff7d13277ffba2e570471bb223ab1943f54
SHA256554afda285f0eba354f5210d17389544196ef7f28bb1e216d5007dd466e2b443
SHA512424ee99cdf0fb2be7878f90fde82b20c9287d6048b76134c8fc2a24776d903dd82d8447a761e0b15ca4eb244ec951b341f7c44becac5a25c0c84b283d6e647f1
-
Filesize
141KB
MD519f8a785a492b05c91615ebce282a047
SHA1e33caf9f169268968e227afc4140e76972ae6942
SHA256d306fb49b45fcaa966bca3d3f4125e2ee517e846399c56290293bf412200ce83
SHA5122cb38b04cd41c524b3e9bde5750e85cfeb38da3effd2f000a757906d52578197b392501157e5e041b3aa46072222b6c62567a6f369c4d6897a63768a2a0abee2
-
Filesize
141KB
MD5aa5e2c015a312d17271cf8248a5eb8e5
SHA1717fb04e18a9bbe9ead052e965a164d39b2aa42d
SHA256ed22ede437dd87a7d45fd7a10dd31707fdc0da7c25c3cb881d39643e79a96fa2
SHA5124c9587891eada59383ae2b6aff2310bfc1261541d97d86baff2424207f4d0f136f3dfaa01b27243522ca5e5e813e92cbd9aad4090e787a50128df00a3f352a2d
-
Filesize
141KB
MD5c34ca6d132f408d92583d14072e8401c
SHA103ea3e97b3286c8514d61a8676b32265a8a407bf
SHA25619740436444f779e3d01edfddb61241ff78686d0294c590d44f54d022ed03390
SHA5123aa7664d8e1bb95c9fccaf250831e1ca780aeb836dfe934ac5fc448fa22becc025df58c3818b2a26ee05ed92b71257dd650b4c7702f1175adc4480ffbb88f3e4
-
Filesize
141KB
MD51365454a2c5178d916d962cde6c1d066
SHA1ce7d84272e1022b997b69a23f2148bdc167e56de
SHA256e2813a74879c74f7890438ce3befea9ba3b922f862f348b10fff43a5195fd517
SHA512710d0fd8c255ca8a3d7b694b7b4791f701a209d128cfc32090773b251558665370cbc939fbfe2ce62a3cb833be67b5a2a8a08e70e61d3b9624e3f7020daae72c
-
Filesize
141KB
MD5ad3fe4b398e9da9dcd76c37237bc05cf
SHA1959594ec8aec26125213aa7f3fb42f49fef1f766
SHA256efe2c32b0a6830307e7f8d7003a5813687a44d14cf6e33e67f53953c1f00bbfa
SHA51224fc7577e579b773482a149f077387f174da6057a42a70199e5917683c9d5d3f760227d456bc65a89fb45c3e952b3c4c2263e4b06ae0e3c49e298e43bea77f66
-
Filesize
141KB
MD5ade7d5fea5d6aa425bdac3e547a08a9c
SHA1a2e542cc105ee5306d7993e64309043c592d43a6
SHA2560e1a5ba8a538be2ff38969522faa6703ff973df55da73ca9b372dfed42561fc0
SHA5126dc843315e0fac3050298d5554b829909970841721182a6667e6163cc759b95b66f2b9162b22fad7e9a786569b8a3fccadbf1748e05274328947e505df261c0d
-
Filesize
141KB
MD5e8e48236cde5f71b5862c9eca944d213
SHA1694108b971d0c02ff7b61c724d6eea84c2b1261f
SHA2567eac4f612670f9aa14e305a553e8db7655393114e03de2fcc4e92bb5d17b59d7
SHA512a2d4de74ff8e43fa6e7813dd393a5498dcc5e30b88a585a6e6f9c838f5c724c53dcbf694c2337a43cbcf88b355c032cb71a9295829873235992daa79574cb4a0
-
Filesize
141KB
MD580f47e13b19b153456833d3322ea5f5c
SHA19b54ca85689ebd57dc8f8b179e085a696280347d
SHA256e1d73d44e14e7206eccb62fe5ad3c84e01412e9b2d1833b7c857990012442af0
SHA51234b2ba247dd299bedf02d999792204ff28ac292d8d253670f1130899c32bc27a532e0d07efba4111498928e13026cc91c7982e08b7b4e5a92f65c526294a2187
-
Filesize
141KB
MD5e94696ef63005004ae85338bf0906f99
SHA1c23296f338ab5573f8ea8b3253f2c1bc3b37e297
SHA25664ba51cadc9ab727bacdc8f5fe20ec9ff99a495b1cf5b0b316fd23161287b5c4
SHA51252fe1111346dba9b2e926d0c04781864eaf2debb88baa257f3bef3f988ea5bac07ab221e6fb7ed689b6f07c6bc9a15c2d8426d1d20e9c02398368f42e80a667b
-
Filesize
141KB
MD5cd95b3c04248328bfc1218bc27ebeb14
SHA1358dfe1f71c0adb38b15685eb73108f8f049ff72
SHA256209291b408262ecf556b7f36169d23bf91dd22a048abdf02e3709282a2c4d45c
SHA51221c9aae386459e08e6113c5e8df71ec60430464c7a2b9267cb4f66eba02431ef914900146f55646e33323ab599e8fa94b51a6a1aaf0e7aabe25daa574f9e8872
-
Filesize
141KB
MD54d69b6320f6c0f3047ba6e276dd1ccc1
SHA19f261acb8aebf4ce14b29a9b665cc3331a2c21cf
SHA2564e5622664e4ba093e69ef049e9096dc86724ec18affb1f618f2dfab4d6dfa299
SHA512c218a54c7cee17dc42bc93f8b75e534f7278737fa751967f88cca682d62fe5eedbd5e46109cbbf285c659d7ed103e196969b1695272aa50a82a5bf7584a4e930
-
Filesize
141KB
MD5e209e59f9dc475ebc5b998a302205ed1
SHA1b4192f00203206dd590f113c65979dfbd544c02e
SHA256a3d276a4a5f0c5cd10c4f96c5424dc474c0b0d1f1bb7dd249e101342212f2e59
SHA51245485506f28b2d4a1e3d3a2a31e3d4b5d84bfa43f8f46591e65d3cdcce01a608dc4a34f0efd2467d87d05da3524f944cc83001cb90eb559ae480912a96185a6b
-
Filesize
141KB
MD58ee74cd8fb22297ae06c4b5f95deaa74
SHA1648b8529a83bdae401380e051cd56c5c8b1e85dc
SHA2566db5ba59d88f094b1be6bca29d3a5bb14be83a075c786aadfdc32315ca8287f8
SHA512f82b1b6157e4f35c967f278644460683d79721090f117dc7a75695724d7adbdac984fee3f0c2d1c817597fad0226858dc7cdcab70a635b84723c91037f737683
-
Filesize
141KB
MD53da4f9c6e352fd4a236ec35c6dceb2b0
SHA172ebff2466ac698eee83548c632493923e227b14
SHA2563694aae1874343287142a9bb5b2deb86142638bc53de12a7069b029acd7165be
SHA512d43247a509c099b7b381ed531341ea61befeeac872203fe5aad840606c7b830c3935e0b5a7662e45d0fe7b53917e3e4981e2b7e70ad49d050992065c7ec282d0
-
Filesize
141KB
MD5c6037ac00e47ab3203ead8999558de70
SHA194535021d5c6b32fe8b44412c9ed2aad6fd08763
SHA2566e5d1dd9273ec1306a538d4471604e300b97e6bce07ad7991012f0e996b1a018
SHA512504743309040ba55df47100ea54e8ba617f97b8d2c6cf84c9c0d7b33cfcb4745287128f9acee956931aa1d29da2d36bb461451a252c1b0e88f9ddf57c1e7d6bd
-
Filesize
141KB
MD5447c3cf1679b888fc4d6313496477dfe
SHA1230b704ead52b0220de14df77f477fec0abfe466
SHA25699b5d356287e86caa28395138ed1acdfaebb8fc63360d5f3f53125f7f70a06ec
SHA51271ca25e2fe059bc8d8df7bf72a5c3ffb2457a9d30c3e7c7f23ec87fb63729384cfbc7c97068e2aa4b5529fd6b897653da4f195f1b22afa9ef723b2711a298d90
-
Filesize
141KB
MD5291e292617abad23289f77d5e422663b
SHA18199cf98c7f7b0308bdde5d63d34089d315f9153
SHA2566725ea58f5f0cfcb4bf900094f861747099dd23a71877f61edd45a7441d0d7fe
SHA512316d1f1a3843b8e8649bc06dc25362a781ee5f83be8ea822576f45c502ac67029d955e16bacc9c5b51b49c72e82d82ecfe07a0825fd821f29a3d3a1b107ba5bc
-
Filesize
141KB
MD58a282571db771e7cfae7c3105adefdcc
SHA18341347a0fa7fc1c1e1c97e3e2e5a02e95bffb10
SHA25643f477357098d42fe89a1bc75ad4f03009dd46e956aaff8309b09898bac02bdd
SHA512d74018d035cdec28e85ed295d18efe8da5bbe08c96cfc512b232d36321ce7827541b3230757fdfabd1ab40d36fac820aff888a8ccefef52ba7f01663f99e5726
-
Filesize
141KB
MD5495ba8dcf2cf3867418dbf04aa49e25c
SHA14b065d2dc21d09743e5348186c40bc4c3f7f058a
SHA25673d833ab4835600fe705ff6c7d77e50b8d577722c7e92b634af7f004acbc0ae5
SHA512f31bb1de6e2b92ba95edcba2da2b328838780ba33f06d89b22e2eaa136f5a90d0bf3f61e69291a7bc306d1837a615e5c5f346afb828575fba99a1ebfa594a86f
-
Filesize
141KB
MD5ad22b3a015b02b3a51a781c3b8aeaa11
SHA1b27ec9199a253add8cff7b0c6b10bfe76b600171
SHA256cc3356dbe417fd850bd6f81961c388099f572b7fb74f1d21bdd809fc5a47732a
SHA5126b6d7991b33045969ccc09c07c3c5af1684dc030202a7900649bf3e076e4827e0a7569c183aa18db195f6347b2d695e890a1913d2495407db8093e478dcd8826
-
Filesize
141KB
MD52bd054af100e447a2a82844029e18b9b
SHA171290f715c2ecdb27a0b98437fc4cec8f6ef40fb
SHA2564c67c74e1b07cd91b379e80ceecc9a7c841cb79c646869931cac280af8a209d3
SHA512a181f097978f37c5b23d446b1eb07a4a0267c06b7bc923fd10f13c7155da734f6556853d810f4e8ac1753c58d64b68e4d3adef4ff716d9bab57d0f2b7b684e86
-
Filesize
141KB
MD549f1c833b1a46b30c7ec022f56e1e97f
SHA1ad4f8b898d8939de46661e2d846cd70f2c550c2b
SHA2565f3aa34f34a84e13a108e9a6a1e6dbc62ad46a7577f5d923b3b977814fcfcf5a
SHA5129fe9c94d23ad38676ed19b33244ff55936f2b20ed6c747436b436a522d029227fa325f70ae03623b2aef190a207ebc8108027f29a52d0787e71d3cbe43b537ec
-
Filesize
141KB
MD57fee9ca77877843399ae7af00459a6d2
SHA1669af7fd07caa7bf2907c8d594e2ede3cac54b7b
SHA2560cb60e121628cb45078ced3c8657f9ec1bd727470b10beb4a9c437989b9a0ee4
SHA51258b6b5e6bfddb3ea11d07f746c8ce0a4083e22d04c4d4577d724ab2f305b7b77ef0f86ee3bf861fee3c841b68949296c55b60558dbe328f5cb7ddb47c4491873
-
Filesize
141KB
MD52a14aa94c341e481288287a6c1ae7f4b
SHA152b5c19e153968ff01cdacea648c742c872c842d
SHA256c9e743edd5aea21f3c67709dbf5b3407515eb7bb82443f49074e960707caaf58
SHA512b06fdae67738a8e8ddbf89ae15dbaa7eb86fce39a370de168e1bfa92b22f65ff8579246d08e5d02d7763791fb982a19c40e7739058dd56a54a6b2f3e1fa691d2