Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:41
Behavioral task
behavioral1
Sample
622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe
-
Size
570KB
-
MD5
622a252e02b5a2db92b3c3bab8b53940
-
SHA1
30d405c04f40f862352402ce8c3c7eedec8e16a4
-
SHA256
e74619d41ed18e0b3305126408722b76f82a51e613474003ed1b1a48468d0e45
-
SHA512
dfaae0dd32e2e6c7fcd66b9b9221d1ad101979b1ffc4fc410deef5b8bc86da081ef971f95779fc8e02cfbba0a94095eff5534ea3a7e70324a978a522a3862568
-
SSDEEP
12288:dHEdBwPh2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsRf:+daPh2kkkkK4kXkkkkkkkkhLg
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqpgol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlhkpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidjnkdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giieco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagmmgdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejdiffp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdgcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oegbheiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifcbodli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npfgpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeohnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhloponc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjnamh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeeecekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqfffqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beejng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2064-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000c00000001225d-5.dat family_berbew behavioral1/memory/2836-14-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2064-7-0x0000000000450000-0x0000000000491000-memory.dmp family_berbew behavioral1/files/0x0008000000016122-20.dat family_berbew behavioral1/memory/2660-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00070000000163eb-39.dat family_berbew behavioral1/memory/3012-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000016575-47.dat family_berbew behavioral1/memory/2660-48-0x0000000000350000-0x0000000000391000-memory.dmp family_berbew behavioral1/memory/2928-55-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d29-67.dat family_berbew behavioral1/memory/2136-69-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d81-75.dat family_berbew behavioral1/memory/2136-77-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x0006000000016da9-95.dat family_berbew behavioral1/memory/2140-108-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016f7e-110.dat family_berbew behavioral1/memory/2272-109-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000600000001737e-121.dat family_berbew behavioral1/files/0x00060000000173c5-128.dat family_berbew behavioral1/memory/1880-123-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1880-130-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew behavioral1/memory/1880-136-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew behavioral1/files/0x0031000000015d9c-142.dat family_berbew behavioral1/memory/1096-150-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000173e7-156.dat family_berbew behavioral1/memory/2676-164-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017472-170.dat family_berbew behavioral1/files/0x0006000000017510-185.dat family_berbew behavioral1/files/0x000d00000001865b-201.dat family_berbew behavioral1/memory/576-182-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1268-202-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1568-203-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001877f-215.dat family_berbew behavioral1/files/0x00060000000190bc-223.dat family_berbew behavioral1/memory/2384-217-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1532-250-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001920f-247.dat family_berbew behavioral1/files/0x0005000000019257-267.dat family_berbew behavioral1/memory/1040-261-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019232-258.dat family_berbew behavioral1/memory/3044-244-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1016-271-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00050000000191dc-234.dat family_berbew behavioral1/files/0x000500000001925d-278.dat family_berbew behavioral1/memory/2796-232-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019369-287.dat family_berbew behavioral1/files/0x00050000000193bb-309.dat family_berbew behavioral1/memory/2324-314-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2324-324-0x0000000000310000-0x0000000000351000-memory.dmp family_berbew behavioral1/memory/2896-328-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019414-321.dat family_berbew behavioral1/memory/1608-325-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2896-334-0x00000000002A0000-0x00000000002E1000-memory.dmp family_berbew behavioral1/files/0x000500000001951e-345.dat family_berbew behavioral1/files/0x0005000000019607-379.dat family_berbew behavioral1/files/0x000500000001960e-402.dat family_berbew behavioral1/memory/1036-394-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1824-409-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019662-411.dat family_berbew behavioral1/files/0x0005000000019c27-433.dat family_berbew behavioral1/memory/2356-438-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2356-448-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2836 Fmcoja32.exe 3012 Fhhcgj32.exe 2660 Fpdhklkl.exe 2928 Fjlhneio.exe 2136 Ffbicfoc.exe 2452 Gonnhhln.exe 2140 Ghfbqn32.exe 2272 Gopkmhjk.exe 1880 Gangic32.exe 2240 Gacpdbej.exe 1096 Gaemjbcg.exe 2676 Hknach32.exe 576 Hahjpbad.exe 1268 Hicodd32.exe 1568 Hlakpp32.exe 2384 Hjhhocjj.exe 2796 Hlfdkoin.exe 3044 Hpapln32.exe 1532 Hkkalk32.exe 1040 Icbimi32.exe 1016 Iaeiieeb.exe 2080 Ihoafpmp.exe 3060 Inljnfkg.exe 1760 Ifcbodli.exe 2324 Idfbkq32.exe 2896 Iajcde32.exe 2652 Idhopq32.exe 2712 Ijeghgoh.exe 2776 Iblpjdpk.exe 2484 Icmlam32.exe 2468 Incpoe32.exe 1036 Iqalka32.exe 1824 Icpigm32.exe 1828 Ifnechbj.exe 2496 Jjjacf32.exe 2356 Jmhmpb32.exe 1988 Jgnamk32.exe 1136 Jfqahgpg.exe 2028 Jiondcpk.exe 2684 Jqfffqpm.exe 1776 Jbgbni32.exe 712 Jjojofgn.exe 1544 Jkpgfn32.exe 1808 Jokcgmee.exe 2976 Jcgogk32.exe 1580 Jfekcg32.exe 1440 Jehkodcm.exe 2096 Jmocpado.exe 3000 Jkbcln32.exe 2060 Jnqphi32.exe 1816 Jbllihbf.exe 2624 Jfghif32.exe 2592 Jifdebic.exe 2148 Jgidao32.exe 2632 Joplbl32.exe 816 Jbnhng32.exe 2492 Kemejc32.exe 624 Kkgmgmfd.exe 2024 Kjjmbj32.exe 2692 Kbqecg32.exe 2420 Keoapb32.exe 2748 Kjljhjkl.exe 1044 Kngfih32.exe 1684 Kafbec32.exe -
Loads dropped DLL 64 IoCs
pid Process 2064 622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe 2064 622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe 2836 Fmcoja32.exe 2836 Fmcoja32.exe 3012 Fhhcgj32.exe 3012 Fhhcgj32.exe 2660 Fpdhklkl.exe 2660 Fpdhklkl.exe 2928 Fjlhneio.exe 2928 Fjlhneio.exe 2136 Ffbicfoc.exe 2136 Ffbicfoc.exe 2452 Gonnhhln.exe 2452 Gonnhhln.exe 2140 Ghfbqn32.exe 2140 Ghfbqn32.exe 2272 Gopkmhjk.exe 2272 Gopkmhjk.exe 1880 Gangic32.exe 1880 Gangic32.exe 2240 Gacpdbej.exe 2240 Gacpdbej.exe 1096 Gaemjbcg.exe 1096 Gaemjbcg.exe 2676 Hknach32.exe 2676 Hknach32.exe 576 Hahjpbad.exe 576 Hahjpbad.exe 1268 Hicodd32.exe 1268 Hicodd32.exe 1568 Hlakpp32.exe 1568 Hlakpp32.exe 2384 Hjhhocjj.exe 2384 Hjhhocjj.exe 2796 Hlfdkoin.exe 2796 Hlfdkoin.exe 3044 Hpapln32.exe 3044 Hpapln32.exe 1532 Hkkalk32.exe 1532 Hkkalk32.exe 1040 Icbimi32.exe 1040 Icbimi32.exe 1016 Iaeiieeb.exe 1016 Iaeiieeb.exe 2080 Ihoafpmp.exe 2080 Ihoafpmp.exe 3060 Inljnfkg.exe 3060 Inljnfkg.exe 1760 Ifcbodli.exe 1760 Ifcbodli.exe 1608 Inngcfid.exe 1608 Inngcfid.exe 2896 Iajcde32.exe 2896 Iajcde32.exe 2652 Idhopq32.exe 2652 Idhopq32.exe 2712 Ijeghgoh.exe 2712 Ijeghgoh.exe 2776 Iblpjdpk.exe 2776 Iblpjdpk.exe 2484 Icmlam32.exe 2484 Icmlam32.exe 2468 Incpoe32.exe 2468 Incpoe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihoafpmp.exe Iaeiieeb.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Egafleqm.exe File created C:\Windows\SysWOW64\Fhhcgj32.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Okfgfl32.exe Odlojanh.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Lhghcb32.dll Fcefji32.exe File opened for modification C:\Windows\SysWOW64\Inkccpgk.exe Iipgcaob.exe File created C:\Windows\SysWOW64\Lpgimglf.dll Ijbdha32.exe File created C:\Windows\SysWOW64\Ipjcbn32.dll Ljmlbfhi.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Lnmfog32.dll Mamddf32.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Dhbfdjdp.exe Ddgjdk32.exe File created C:\Windows\SysWOW64\Neplhf32.exe Nadpgggp.exe File created C:\Windows\SysWOW64\Lmgocb32.exe Lndohedg.exe File created C:\Windows\SysWOW64\Hmomkh32.dll Pmlmic32.exe File opened for modification C:\Windows\SysWOW64\Ifcbodli.exe Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Aadloj32.exe File created C:\Windows\SysWOW64\Nmgpon32.dll Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Kcfkfo32.exe Kpkofpgq.exe File created C:\Windows\SysWOW64\Ngnbgplj.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Lcagpl32.exe Lpekon32.exe File created C:\Windows\SysWOW64\Pmlmic32.exe Pjnamh32.exe File opened for modification C:\Windows\SysWOW64\Leonofpp.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Pjclpeak.dll Ngibaj32.exe File created C:\Windows\SysWOW64\Ipgljgoi.dll Pcdipnqn.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Iqalka32.exe File created C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Fmmkcoap.exe Fjongcbl.exe File opened for modification C:\Windows\SysWOW64\Kfbcbd32.exe Knklagmb.exe File created C:\Windows\SysWOW64\Aeenochi.exe Aajbne32.exe File created C:\Windows\SysWOW64\Kgiaak32.dll Jmhmpb32.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Jqgoiokm.exe Jbdonb32.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jmbiipml.exe File created C:\Windows\SysWOW64\Dkqahbgm.dll Ifkacb32.exe File created C:\Windows\SysWOW64\Kbelde32.dll Lfdmggnm.exe File opened for modification C:\Windows\SysWOW64\Pgpeal32.exe Pcdipnqn.exe File created C:\Windows\SysWOW64\Pndpajgd.exe Pkfceo32.exe File created C:\Windows\SysWOW64\Gbaoqk32.dll Iblpjdpk.exe File created C:\Windows\SysWOW64\Cacacg32.exe Cilibi32.exe File created C:\Windows\SysWOW64\Ipnndn32.dll Jofbag32.exe File created C:\Windows\SysWOW64\Nadpgggp.exe Ncbplk32.exe File created C:\Windows\SysWOW64\Blmfea32.exe Bnielm32.exe File created C:\Windows\SysWOW64\Eeoliecf.dll Jfekcg32.exe File opened for modification C:\Windows\SysWOW64\Jifdebic.exe Jfghif32.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dggcffhg.exe File created C:\Windows\SysWOW64\Gmgninie.exe Gikaio32.exe File created C:\Windows\SysWOW64\Edkcojga.exe Eqpgol32.exe File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe Endhhp32.exe File created C:\Windows\SysWOW64\Jcjdpj32.exe Jdgdempa.exe File created C:\Windows\SysWOW64\Pdlbongd.dll Mencccop.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Adpkee32.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bhigphio.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Mlhkpm32.exe Mhloponc.exe File opened for modification C:\Windows\SysWOW64\Hbappj32.dll Apalea32.exe File created C:\Windows\SysWOW64\Enfenplo.exe Enfenplo.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gdjpeifj.exe -
Program crash 1 IoCs
pid pid_target Process 6704 6932 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll" Mmihhelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjnfniii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dogefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfobbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll" Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogeigofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jbdonb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbkhq32.dll" Jkbcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpdnkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeidehe.dll" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdafiei.dll" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpehocqo.dll" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfbcbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll" Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biddmpnf.dll" Hdildlie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Albjlcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjdfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pckoam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkbcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abjebn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jneohcll.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2836 2064 622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2836 2064 622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2836 2064 622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2836 2064 622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe 28 PID 2836 wrote to memory of 3012 2836 Fmcoja32.exe 29 PID 2836 wrote to memory of 3012 2836 Fmcoja32.exe 29 PID 2836 wrote to memory of 3012 2836 Fmcoja32.exe 29 PID 2836 wrote to memory of 3012 2836 Fmcoja32.exe 29 PID 3012 wrote to memory of 2660 3012 Fhhcgj32.exe 30 PID 3012 wrote to memory of 2660 3012 Fhhcgj32.exe 30 PID 3012 wrote to memory of 2660 3012 Fhhcgj32.exe 30 PID 3012 wrote to memory of 2660 3012 Fhhcgj32.exe 30 PID 2660 wrote to memory of 2928 2660 Fpdhklkl.exe 31 PID 2660 wrote to memory of 2928 2660 Fpdhklkl.exe 31 PID 2660 wrote to memory of 2928 2660 Fpdhklkl.exe 31 PID 2660 wrote to memory of 2928 2660 Fpdhklkl.exe 31 PID 2928 wrote to memory of 2136 2928 Fjlhneio.exe 32 PID 2928 wrote to memory of 2136 2928 Fjlhneio.exe 32 PID 2928 wrote to memory of 2136 2928 Fjlhneio.exe 32 PID 2928 wrote to memory of 2136 2928 Fjlhneio.exe 32 PID 2136 wrote to memory of 2452 2136 Ffbicfoc.exe 33 PID 2136 wrote to memory of 2452 2136 Ffbicfoc.exe 33 PID 2136 wrote to memory of 2452 2136 Ffbicfoc.exe 33 PID 2136 wrote to memory of 2452 2136 Ffbicfoc.exe 33 PID 2452 wrote to memory of 2140 2452 Gonnhhln.exe 34 PID 2452 wrote to memory of 2140 2452 Gonnhhln.exe 34 PID 2452 wrote to memory of 2140 2452 Gonnhhln.exe 34 PID 2452 wrote to memory of 2140 2452 Gonnhhln.exe 34 PID 2140 wrote to memory of 2272 2140 Ghfbqn32.exe 35 PID 2140 wrote to memory of 2272 2140 Ghfbqn32.exe 35 PID 2140 wrote to memory of 2272 2140 Ghfbqn32.exe 35 PID 2140 wrote to memory of 2272 2140 Ghfbqn32.exe 35 PID 2272 wrote to memory of 1880 2272 Gopkmhjk.exe 36 PID 2272 wrote to memory of 1880 2272 Gopkmhjk.exe 36 PID 2272 wrote to memory of 1880 2272 Gopkmhjk.exe 36 PID 2272 wrote to memory of 1880 2272 Gopkmhjk.exe 36 PID 1880 wrote to memory of 2240 1880 Gangic32.exe 37 PID 1880 wrote to memory of 2240 1880 Gangic32.exe 37 PID 1880 wrote to memory of 2240 1880 Gangic32.exe 37 PID 1880 wrote to memory of 2240 1880 Gangic32.exe 37 PID 2240 wrote to memory of 1096 2240 Gacpdbej.exe 38 PID 2240 wrote to memory of 1096 2240 Gacpdbej.exe 38 PID 2240 wrote to memory of 1096 2240 Gacpdbej.exe 38 PID 2240 wrote to memory of 1096 2240 Gacpdbej.exe 38 PID 1096 wrote to memory of 2676 1096 Gaemjbcg.exe 39 PID 1096 wrote to memory of 2676 1096 Gaemjbcg.exe 39 PID 1096 wrote to memory of 2676 1096 Gaemjbcg.exe 39 PID 1096 wrote to memory of 2676 1096 Gaemjbcg.exe 39 PID 2676 wrote to memory of 576 2676 Hknach32.exe 40 PID 2676 wrote to memory of 576 2676 Hknach32.exe 40 PID 2676 wrote to memory of 576 2676 Hknach32.exe 40 PID 2676 wrote to memory of 576 2676 Hknach32.exe 40 PID 576 wrote to memory of 1268 576 Hahjpbad.exe 41 PID 576 wrote to memory of 1268 576 Hahjpbad.exe 41 PID 576 wrote to memory of 1268 576 Hahjpbad.exe 41 PID 576 wrote to memory of 1268 576 Hahjpbad.exe 41 PID 1268 wrote to memory of 1568 1268 Hicodd32.exe 42 PID 1268 wrote to memory of 1568 1268 Hicodd32.exe 42 PID 1268 wrote to memory of 1568 1268 Hicodd32.exe 42 PID 1268 wrote to memory of 1568 1268 Hicodd32.exe 42 PID 1568 wrote to memory of 2384 1568 Hlakpp32.exe 43 PID 1568 wrote to memory of 2384 1568 Hlakpp32.exe 43 PID 1568 wrote to memory of 2384 1568 Hlakpp32.exe 43 PID 1568 wrote to memory of 2384 1568 Hlakpp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\622a252e02b5a2db92b3c3bab8b53940_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe26⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe27⤵
- Loads dropped DLL
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe35⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe36⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe37⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe40⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe41⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe43⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe44⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe45⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe46⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe47⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe49⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe52⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe53⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe55⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe56⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe59⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe60⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe62⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe63⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe65⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe66⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe67⤵PID:636
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe68⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe69⤵PID:1984
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe70⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe71⤵PID:2528
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe72⤵PID:1336
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe73⤵PID:2472
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe74⤵PID:2488
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe75⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe76⤵PID:1348
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe77⤵PID:1960
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe78⤵PID:600
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe79⤵PID:1792
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe80⤵PID:1324
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe81⤵PID:2920
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe82⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe83⤵PID:1548
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe84⤵PID:3048
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe86⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe89⤵PID:1032
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe90⤵PID:2216
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe91⤵PID:592
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe92⤵PID:2036
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe93⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe95⤵PID:2056
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe96⤵PID:2552
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe97⤵PID:616
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe98⤵PID:2580
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe99⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe100⤵PID:964
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe101⤵PID:2040
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe102⤵PID:2636
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe103⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe104⤵PID:1308
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe105⤵PID:928
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe106⤵PID:916
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe107⤵PID:1292
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe108⤵PID:2152
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe109⤵PID:1516
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe110⤵PID:2560
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe111⤵PID:2448
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe112⤵PID:2900
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe113⤵PID:1708
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe114⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe115⤵PID:1508
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe116⤵PID:2436
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe117⤵PID:1720
-
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe118⤵PID:2124
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe119⤵PID:1948
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe121⤵PID:2672
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe122⤵PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-