Analysis
-
max time kernel
71s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 12:51
Behavioral task
behavioral1
Sample
380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe
-
Size
368KB
-
MD5
380de7ae3759858af17c4b3db766a940
-
SHA1
5553f405958c8eeaa92c895e73272a1661fb908a
-
SHA256
bdec4e5c400886026fc62173bca8188760ca8d4ac80b10ac9eea64248f47e0dd
-
SHA512
be15889506a407800ea9bf57cf3ab09ce5b5df07ab814974b9482d8ebd5dc48160bc1f7ee6d82a73f9ca5aaa20ea15bb0edc5eb9a228bb9cdb1ee333040a0812
-
SSDEEP
6144:PilPPIsilTjZXvEQo9dfJBEdKFckUQ/4TIHD4xutM3VOEIuV5t6R+0I/VzogZW:Pil3aT9XvEhdfJkKSkU3kHyuaRB5t6kO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphhka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbeiefff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeckfndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Decdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iomcpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpaohjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnnbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggklka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpckce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onfabgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpcpdfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbjnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knhhaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pijgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekmfne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbfnggeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgoadp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noacef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgedmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qncfphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nocpkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbqkiind.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekjal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifbaapfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clnehado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcfdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnfblgca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdigfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgbkbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaogognm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okbapi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnqqgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqiaclhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhnfof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbclamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aipgifcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpmgao32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000014c67-5.dat family_berbew behavioral1/files/0x003300000001560a-22.dat family_berbew behavioral1/files/0x0007000000015c2f-34.dat family_berbew behavioral1/files/0x0009000000015c5d-55.dat family_berbew behavioral1/memory/2640-42-0x00000000002B0000-0x00000000002E4000-memory.dmp family_berbew behavioral1/files/0x0006000000016d84-70.dat family_berbew behavioral1/files/0x000600000001704f-85.dat family_berbew behavioral1/files/0x0006000000017090-92.dat family_berbew behavioral1/files/0x0005000000018698-106.dat family_berbew behavioral1/files/0x0006000000018ae2-120.dat family_berbew behavioral1/files/0x0006000000018b15-134.dat family_berbew behavioral1/files/0x0006000000018b37-147.dat family_berbew behavioral1/files/0x0006000000018b4a-161.dat family_berbew behavioral1/files/0x0006000000018b73-175.dat family_berbew behavioral1/files/0x0006000000018ba2-190.dat family_berbew behavioral1/files/0x00050000000192c9-203.dat family_berbew behavioral1/files/0x000500000001931b-217.dat family_berbew behavioral1/files/0x0005000000019368-234.dat family_berbew behavioral1/files/0x000500000001939b-242.dat family_berbew behavioral1/files/0x000500000001946f-264.dat family_berbew behavioral1/memory/1132-277-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x00040000000194d6-285.dat family_berbew behavioral1/memory/2932-330-0x0000000000270000-0x00000000002A4000-memory.dmp family_berbew behavioral1/files/0x0005000000019521-340.dat family_berbew behavioral1/memory/1652-342-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/memory/1652-341-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x00050000000194f4-327.dat family_berbew behavioral1/memory/2940-320-0x00000000002B0000-0x00000000002E4000-memory.dmp family_berbew behavioral1/files/0x00050000000194ef-318.dat family_berbew behavioral1/files/0x00050000000194ea-305.dat family_berbew behavioral1/files/0x00040000000194dc-298.dat family_berbew behavioral1/memory/2212-295-0x00000000002E0000-0x0000000000314000-memory.dmp family_berbew behavioral1/memory/740-288-0x00000000003C0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/files/0x0005000000019485-276.dat family_berbew behavioral1/files/0x0005000000019570-351.dat family_berbew behavioral1/files/0x000500000001959e-361.dat family_berbew behavioral1/memory/2520-362-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x00050000000195a4-370.dat family_berbew behavioral1/files/0x00050000000195a7-383.dat family_berbew behavioral1/memory/2652-395-0x0000000000320000-0x0000000000354000-memory.dmp family_berbew behavioral1/files/0x00050000000195a9-394.dat family_berbew behavioral1/files/0x0005000000019410-255.dat family_berbew behavioral1/files/0x00050000000195ba-405.dat family_berbew behavioral1/memory/792-417-0x00000000003C0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/files/0x0005000000019646-414.dat family_berbew behavioral1/memory/2468-413-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x000500000001996e-428.dat family_berbew behavioral1/files/0x0005000000019bef-450.dat family_berbew behavioral1/memory/280-455-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x0005000000019d59-471.dat family_berbew behavioral1/files/0x0005000000019f60-479.dat family_berbew behavioral1/files/0x0005000000019ce6-459.dat family_berbew behavioral1/files/0x000500000001a013-492.dat family_berbew behavioral1/files/0x0005000000019bd7-437.dat family_berbew behavioral1/files/0x000500000001a2d0-504.dat family_berbew behavioral1/files/0x000500000001a3c2-516.dat family_berbew behavioral1/files/0x000500000001a3c8-529.dat family_berbew behavioral1/files/0x000500000001a3d4-541.dat family_berbew behavioral1/files/0x000500000001a429-550.dat family_berbew behavioral1/files/0x000500000001a431-561.dat family_berbew behavioral1/files/0x000500000001a43b-571.dat family_berbew behavioral1/memory/2400-153-0x00000000002F0000-0x0000000000324000-memory.dmp family_berbew behavioral1/files/0x000500000001a443-581.dat family_berbew behavioral1/files/0x000500000001a447-590.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1984 Eknkpbdf.exe 2640 Fbjpblip.exe 2692 Fnqqgm32.exe 2988 Ffnbaojm.exe 2964 Giahhj32.exe 2396 Gfehan32.exe 896 Gihniioc.exe 2836 Gngcgp32.exe 2132 Heakcjcd.exe 2400 Hmmphlpp.exe 1408 Hoebpc32.exe 824 Ihmgiiff.exe 840 Ihpdoh32.exe 1340 Ilnmdgkj.exe 1908 Ippbnjni.exe 1756 Iaonhm32.exe 1124 Jpdkii32.exe 1792 Jnhlbn32.exe 456 Jhdihkcj.exe 1132 Kncofa32.exe 740 Kkgopf32.exe 2212 Kqdhhm32.exe 1648 Knhhaaki.exe 2940 Kceqjhiq.exe 2932 Kqiaclhj.exe 1652 Kfeikcfa.exe 2600 Ljcbaamh.exe 2520 Ljfogake.exe 2564 Mamgmofp.exe 2440 Mnaggcej.exe 2652 Mjhhld32.exe 2468 Mmhamoho.exe 792 Mbeiefff.exe 1280 Noljjglk.exe 2112 Nlpkdkkd.exe 280 Noacef32.exe 2596 Nocpkf32.exe 2772 Nhlddkmc.exe 1900 Odbeilbg.exe 2736 Oionacqo.exe 2312 Ommfga32.exe 1948 Odgodl32.exe 2152 Onocmadb.exe 2080 Ooqpdj32.exe 1492 Opplolac.exe 1456 Oemegc32.exe 1580 Ohkaco32.exe 1804 Pcaepg32.exe 1008 Pohfehdi.exe 2928 Pddnnp32.exe 744 Pojbkh32.exe 1728 Pdgkco32.exe 1988 Pgegok32.exe 2688 Pggdejno.exe 2708 Qgjqjjll.exe 2428 Qndigd32.exe 760 Qfonkfqd.exe 2580 Qmifhq32.exe 2100 Accnekon.exe 2512 Afajafoa.exe 1312 Abhkfg32.exe 1720 Aollokco.exe 2028 Aidphq32.exe 1188 Aapemc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2120 380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe 2120 380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe 1984 Eknkpbdf.exe 1984 Eknkpbdf.exe 2640 Fbjpblip.exe 2640 Fbjpblip.exe 2692 Fnqqgm32.exe 2692 Fnqqgm32.exe 2988 Ffnbaojm.exe 2988 Ffnbaojm.exe 2964 Giahhj32.exe 2964 Giahhj32.exe 2396 Gfehan32.exe 2396 Gfehan32.exe 896 Gihniioc.exe 896 Gihniioc.exe 2836 Gngcgp32.exe 2836 Gngcgp32.exe 2132 Heakcjcd.exe 2132 Heakcjcd.exe 2400 Hmmphlpp.exe 2400 Hmmphlpp.exe 1408 Hoebpc32.exe 1408 Hoebpc32.exe 824 Ihmgiiff.exe 824 Ihmgiiff.exe 840 Ihpdoh32.exe 840 Ihpdoh32.exe 1340 Ilnmdgkj.exe 1340 Ilnmdgkj.exe 1908 Ippbnjni.exe 1908 Ippbnjni.exe 1756 Iaonhm32.exe 1756 Iaonhm32.exe 1124 Jpdkii32.exe 1124 Jpdkii32.exe 1792 Jnhlbn32.exe 1792 Jnhlbn32.exe 456 Jhdihkcj.exe 456 Jhdihkcj.exe 1132 Kncofa32.exe 1132 Kncofa32.exe 740 Kkgopf32.exe 740 Kkgopf32.exe 2212 Kqdhhm32.exe 2212 Kqdhhm32.exe 1648 Knhhaaki.exe 1648 Knhhaaki.exe 2940 Kceqjhiq.exe 2940 Kceqjhiq.exe 2932 Kqiaclhj.exe 2932 Kqiaclhj.exe 1652 Kfeikcfa.exe 1652 Kfeikcfa.exe 2600 Ljcbaamh.exe 2600 Ljcbaamh.exe 2520 Ljfogake.exe 2520 Ljfogake.exe 2564 Mamgmofp.exe 2564 Mamgmofp.exe 2440 Mnaggcej.exe 2440 Mnaggcej.exe 2652 Mjhhld32.exe 2652 Mjhhld32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cpcnonob.exe Bbonei32.exe File created C:\Windows\SysWOW64\Bmcnqama.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Hdaehcom.dll Aojabdlf.exe File opened for modification C:\Windows\SysWOW64\Gcmcebkc.exe Gkmefaan.exe File opened for modification C:\Windows\SysWOW64\Lhlbbg32.exe Lenffl32.exe File opened for modification C:\Windows\SysWOW64\Djjjga32.exe Dgknkf32.exe File created C:\Windows\SysWOW64\Nohaklfk.exe Mlieoqgg.exe File created C:\Windows\SysWOW64\Nfdfmfle.exe Nkobpmlo.exe File created C:\Windows\SysWOW64\Icdefc32.dll Oiahnnji.exe File opened for modification C:\Windows\SysWOW64\Apilcoho.exe Anhpkg32.exe File created C:\Windows\SysWOW64\Ddhjpejc.dll Mhcicf32.exe File created C:\Windows\SysWOW64\Ddbdee32.dll Mmhamoho.exe File created C:\Windows\SysWOW64\Nmdbgcli.dll Pohfehdi.exe File created C:\Windows\SysWOW64\Gfnjne32.exe Gmeeepjp.exe File opened for modification C:\Windows\SysWOW64\Iikkon32.exe Icncgf32.exe File created C:\Windows\SysWOW64\Ljphmekn.dll Lcmklh32.exe File created C:\Windows\SysWOW64\Pjcpccaf.dll Qaablcej.exe File created C:\Windows\SysWOW64\Cbnach32.dll Nbpqmfmd.exe File created C:\Windows\SysWOW64\Gkfcag32.dll Egmojnlf.exe File opened for modification C:\Windows\SysWOW64\Mobfgdcl.exe Mfjann32.exe File opened for modification C:\Windows\SysWOW64\Nqhepeai.exe Nkkmgncb.exe File opened for modification C:\Windows\SysWOW64\Picojhcm.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Decdmi32.exe Dpfkeb32.exe File created C:\Windows\SysWOW64\Ceipknjl.dll Hjggap32.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Cdkkcp32.exe File created C:\Windows\SysWOW64\Jdlacfca.exe Jmdiahco.exe File created C:\Windows\SysWOW64\Pipfnehe.dll Magdam32.exe File created C:\Windows\SysWOW64\Adhglggg.dll Clfhml32.exe File created C:\Windows\SysWOW64\Dbejjfek.exe Dofnnkfg.exe File opened for modification C:\Windows\SysWOW64\Mlkjne32.exe Meabakda.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Oabkom32.exe File opened for modification C:\Windows\SysWOW64\Pbgjgomc.exe Plmbkd32.exe File opened for modification C:\Windows\SysWOW64\Bqmpdioa.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Eojlbb32.exe File opened for modification C:\Windows\SysWOW64\Keoabo32.exe Kcmdjgbh.exe File opened for modification C:\Windows\SysWOW64\Bihgmdih.exe Bfjkphjd.exe File created C:\Windows\SysWOW64\Nijjfj32.dll Jmdiahco.exe File created C:\Windows\SysWOW64\Nfoghakb.exe Nmfbpk32.exe File opened for modification C:\Windows\SysWOW64\Ndlbmk32.exe Nnbjpqoa.exe File created C:\Windows\SysWOW64\Ppegoheg.dll Fbjpblip.exe File opened for modification C:\Windows\SysWOW64\Jhdihkcj.exe Jnhlbn32.exe File opened for modification C:\Windows\SysWOW64\Emgioakg.exe Elcpbigl.exe File created C:\Windows\SysWOW64\Ehdigjnf.dll Jhjbqo32.exe File opened for modification C:\Windows\SysWOW64\Bpbmqe32.exe Agihgp32.exe File created C:\Windows\SysWOW64\Befnbd32.exe Bhbmip32.exe File created C:\Windows\SysWOW64\Odjgna32.dll Jegdgj32.exe File created C:\Windows\SysWOW64\Ekomolag.dll Pincfpoo.exe File created C:\Windows\SysWOW64\Ebepdj32.dll Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Nbfnggeo.exe Nohaklfk.exe File opened for modification C:\Windows\SysWOW64\Qjddgj32.exe Ppopja32.exe File created C:\Windows\SysWOW64\Cdgjcl32.dll Elaeeb32.exe File created C:\Windows\SysWOW64\Eannmi32.exe Enpban32.exe File created C:\Windows\SysWOW64\Gmhfmm32.dll Noacef32.exe File created C:\Windows\SysWOW64\Jdmaefik.dll Amgjnepn.exe File created C:\Windows\SysWOW64\Ocdqlmmg.dll Egkehllh.exe File created C:\Windows\SysWOW64\Lhfefgkg.exe Lfhhjklc.exe File opened for modification C:\Windows\SysWOW64\Ejaphpnp.exe Dahkok32.exe File opened for modification C:\Windows\SysWOW64\Fbngfo32.exe Fpokjd32.exe File opened for modification C:\Windows\SysWOW64\Hdefnjkj.exe Hcdifa32.exe File opened for modification C:\Windows\SysWOW64\Lijiaabk.exe Lhimji32.exe File created C:\Windows\SysWOW64\Fhgmfb32.dll Feipbefb.exe File opened for modification C:\Windows\SysWOW64\Cgdciiod.exe Cagjqbam.exe File opened for modification C:\Windows\SysWOW64\Nknkeg32.exe Nddcimag.exe -
Program crash 1 IoCs
pid pid_target Process 1576 2308 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nohaklfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcqkjfel.dll" Jbfkeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncocffdb.dll" Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjpdmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elaeeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhimji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfhpd32.dll" Ifpnaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmnhgjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggfio32.dll" Mobfgdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhafee.dll" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngppolhf.dll" Enbapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnpjhai.dll" Kkgopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmbojoq.dll" Kfeikcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qadkkc32.dll" Lbgkfbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll" Epqgopbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lekjal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahlae32.dll" Jlnklcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbpbmkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll" Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaeieh32.dll" Qnqjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkng32.dll" Ilifndlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iedfqeka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll" Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll" Lpqlemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akdafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adleoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qndigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmibbi32.dll" Bnldjekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idghhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnfllod.dll" Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckkcep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbdcgjh.dll" Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejjjbbm.dll" Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqhfhigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feachqgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcblqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kecjmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qifmdk32.dll" Pojbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepckd32.dll" Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpblmp32.dll" Mcodqkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iqhfnifq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhbhmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccdmnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqjhcfpc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1984 2120 380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe 28 PID 2120 wrote to memory of 1984 2120 380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe 28 PID 2120 wrote to memory of 1984 2120 380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe 28 PID 2120 wrote to memory of 1984 2120 380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe 28 PID 1984 wrote to memory of 2640 1984 Eknkpbdf.exe 29 PID 1984 wrote to memory of 2640 1984 Eknkpbdf.exe 29 PID 1984 wrote to memory of 2640 1984 Eknkpbdf.exe 29 PID 1984 wrote to memory of 2640 1984 Eknkpbdf.exe 29 PID 2640 wrote to memory of 2692 2640 Fbjpblip.exe 30 PID 2640 wrote to memory of 2692 2640 Fbjpblip.exe 30 PID 2640 wrote to memory of 2692 2640 Fbjpblip.exe 30 PID 2640 wrote to memory of 2692 2640 Fbjpblip.exe 30 PID 2692 wrote to memory of 2988 2692 Fnqqgm32.exe 31 PID 2692 wrote to memory of 2988 2692 Fnqqgm32.exe 31 PID 2692 wrote to memory of 2988 2692 Fnqqgm32.exe 31 PID 2692 wrote to memory of 2988 2692 Fnqqgm32.exe 31 PID 2988 wrote to memory of 2964 2988 Ffnbaojm.exe 32 PID 2988 wrote to memory of 2964 2988 Ffnbaojm.exe 32 PID 2988 wrote to memory of 2964 2988 Ffnbaojm.exe 32 PID 2988 wrote to memory of 2964 2988 Ffnbaojm.exe 32 PID 2964 wrote to memory of 2396 2964 Giahhj32.exe 33 PID 2964 wrote to memory of 2396 2964 Giahhj32.exe 33 PID 2964 wrote to memory of 2396 2964 Giahhj32.exe 33 PID 2964 wrote to memory of 2396 2964 Giahhj32.exe 33 PID 2396 wrote to memory of 896 2396 Gfehan32.exe 34 PID 2396 wrote to memory of 896 2396 Gfehan32.exe 34 PID 2396 wrote to memory of 896 2396 Gfehan32.exe 34 PID 2396 wrote to memory of 896 2396 Gfehan32.exe 34 PID 896 wrote to memory of 2836 896 Gihniioc.exe 35 PID 896 wrote to memory of 2836 896 Gihniioc.exe 35 PID 896 wrote to memory of 2836 896 Gihniioc.exe 35 PID 896 wrote to memory of 2836 896 Gihniioc.exe 35 PID 2836 wrote to memory of 2132 2836 Gngcgp32.exe 36 PID 2836 wrote to memory of 2132 2836 Gngcgp32.exe 36 PID 2836 wrote to memory of 2132 2836 Gngcgp32.exe 36 PID 2836 wrote to memory of 2132 2836 Gngcgp32.exe 36 PID 2132 wrote to memory of 2400 2132 Heakcjcd.exe 37 PID 2132 wrote to memory of 2400 2132 Heakcjcd.exe 37 PID 2132 wrote to memory of 2400 2132 Heakcjcd.exe 37 PID 2132 wrote to memory of 2400 2132 Heakcjcd.exe 37 PID 2400 wrote to memory of 1408 2400 Hmmphlpp.exe 38 PID 2400 wrote to memory of 1408 2400 Hmmphlpp.exe 38 PID 2400 wrote to memory of 1408 2400 Hmmphlpp.exe 38 PID 2400 wrote to memory of 1408 2400 Hmmphlpp.exe 38 PID 1408 wrote to memory of 824 1408 Hoebpc32.exe 39 PID 1408 wrote to memory of 824 1408 Hoebpc32.exe 39 PID 1408 wrote to memory of 824 1408 Hoebpc32.exe 39 PID 1408 wrote to memory of 824 1408 Hoebpc32.exe 39 PID 824 wrote to memory of 840 824 Ihmgiiff.exe 40 PID 824 wrote to memory of 840 824 Ihmgiiff.exe 40 PID 824 wrote to memory of 840 824 Ihmgiiff.exe 40 PID 824 wrote to memory of 840 824 Ihmgiiff.exe 40 PID 840 wrote to memory of 1340 840 Ihpdoh32.exe 41 PID 840 wrote to memory of 1340 840 Ihpdoh32.exe 41 PID 840 wrote to memory of 1340 840 Ihpdoh32.exe 41 PID 840 wrote to memory of 1340 840 Ihpdoh32.exe 41 PID 1340 wrote to memory of 1908 1340 Ilnmdgkj.exe 42 PID 1340 wrote to memory of 1908 1340 Ilnmdgkj.exe 42 PID 1340 wrote to memory of 1908 1340 Ilnmdgkj.exe 42 PID 1340 wrote to memory of 1908 1340 Ilnmdgkj.exe 42 PID 1908 wrote to memory of 1756 1908 Ippbnjni.exe 43 PID 1908 wrote to memory of 1756 1908 Ippbnjni.exe 43 PID 1908 wrote to memory of 1756 1908 Ippbnjni.exe 43 PID 1908 wrote to memory of 1756 1908 Ippbnjni.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\380de7ae3759858af17c4b3db766a940_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:456 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe35⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe36⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe39⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe40⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe41⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe42⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe43⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe44⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe45⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe46⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe47⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe48⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe49⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe51⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe53⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe54⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe58⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe59⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe60⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe61⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe62⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe63⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe64⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe65⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe66⤵PID:2768
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe67⤵PID:1320
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe69⤵PID:2204
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe70⤵PID:2136
-
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe71⤵PID:1692
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe72⤵PID:936
-
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe73⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe74⤵PID:1488
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe75⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe76⤵PID:2436
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe77⤵PID:2724
-
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe78⤵
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe79⤵PID:2480
-
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe80⤵PID:2944
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe81⤵PID:928
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe82⤵PID:2764
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe83⤵PID:1276
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe84⤵PID:1096
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe85⤵PID:1112
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe86⤵PID:1284
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe87⤵PID:2604
-
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe88⤵PID:2160
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe89⤵PID:1608
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe90⤵PID:1064
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe91⤵PID:1664
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe92⤵PID:2936
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe93⤵PID:3040
-
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe94⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe95⤵PID:2620
-
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe96⤵PID:2832
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe97⤵PID:2572
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe98⤵PID:676
-
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe99⤵PID:2744
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe100⤵PID:524
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe101⤵PID:972
-
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe102⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe103⤵PID:1328
-
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe104⤵PID:268
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe105⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe106⤵PID:588
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe107⤵PID:2008
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe108⤵PID:2352
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe109⤵PID:3032
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe110⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe111⤵PID:2164
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe112⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe113⤵PID:948
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe115⤵PID:2296
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe116⤵PID:2004
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe117⤵PID:1640
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe118⤵PID:1928
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe119⤵PID:1836
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe120⤵PID:1932
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe121⤵PID:1704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-