Analysis
-
max time kernel
122s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:41
Behavioral task
behavioral1
Sample
624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe
-
Size
664KB
-
MD5
624b6e90386829f0135dda425b69e650
-
SHA1
42126bccd4d14b47d2c775d771a23a1d17756212
-
SHA256
31d2a117fe59c590954951b4b53a149414da9abe6279c6bc59cac1012fce2891
-
SHA512
dc9c5625f754f7d0d543a3be165fb74c9f1810d14825bf9f21528fce3b05f3871556e47827c47578806b2d7fbb8b7706900e5f2a14a26f1adb85d370fb9d8213
-
SSDEEP
12288:JhZapV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmRS:JraW4XWleKWNUir2MhNl6zX3w9As/xOX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbleeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifffkncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfhfab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfidjbdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibfajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdbpnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmhmlbkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbdgqimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcgjmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Deojci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bflbigdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnpojca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcpfedki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knmhgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefamlak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfolaang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfbfjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Geoonjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfliim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcgogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpfedki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofcqcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgegok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kokjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baohhgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpfkakd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahlhkhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liminmmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihjnom32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000e00000001226b-5.dat family_berbew behavioral1/files/0x0008000000015cc7-25.dat family_berbew behavioral1/files/0x0007000000015cf0-34.dat family_berbew behavioral1/files/0x0008000000015d0c-47.dat family_berbew behavioral1/files/0x00070000000165a8-61.dat family_berbew behavioral1/files/0x000600000001686d-80.dat family_berbew behavioral1/files/0x0006000000016c56-88.dat family_berbew behavioral1/files/0x0035000000015c93-108.dat family_berbew behavioral1/files/0x0006000000016cc3-115.dat family_berbew behavioral1/files/0x0006000000016d1b-128.dat family_berbew behavioral1/files/0x0006000000016d34-141.dat family_berbew behavioral1/files/0x0006000000016d45-154.dat family_berbew behavioral1/files/0x0006000000016d61-167.dat family_berbew behavioral1/files/0x0006000000016d69-187.dat family_berbew behavioral1/files/0x0006000000016dda-194.dat family_berbew behavioral1/files/0x0006000000016de7-207.dat family_berbew behavioral1/files/0x0006000000017042-223.dat family_berbew behavioral1/files/0x0006000000017486-230.dat family_berbew behavioral1/files/0x0006000000018663-242.dat family_berbew behavioral1/files/0x001100000001867a-250.dat family_berbew behavioral1/files/0x00050000000186e6-260.dat family_berbew behavioral1/files/0x00050000000186ff-269.dat family_berbew behavioral1/files/0x000500000001873f-279.dat family_berbew behavioral1/files/0x000500000001878d-290.dat family_berbew behavioral1/memory/1996-289-0x0000000000300000-0x0000000000335000-memory.dmp family_berbew behavioral1/files/0x0005000000019228-300.dat family_berbew behavioral1/memory/1708-315-0x00000000002F0000-0x0000000000325000-memory.dmp family_berbew behavioral1/memory/1708-314-0x00000000002F0000-0x0000000000325000-memory.dmp family_berbew behavioral1/files/0x000500000001925d-311.dat family_berbew behavioral1/files/0x0005000000019275-324.dat family_berbew behavioral1/memory/1972-328-0x0000000000440000-0x0000000000475000-memory.dmp family_berbew behavioral1/files/0x0005000000019283-334.dat family_berbew behavioral1/memory/1612-344-0x00000000002F0000-0x0000000000325000-memory.dmp family_berbew behavioral1/files/0x0005000000019381-347.dat family_berbew behavioral1/memory/1612-352-0x00000000002F0000-0x0000000000325000-memory.dmp family_berbew behavioral1/files/0x00050000000193a5-355.dat family_berbew behavioral1/memory/2428-358-0x0000000000440000-0x0000000000475000-memory.dmp family_berbew behavioral1/files/0x0005000000019433-367.dat family_berbew behavioral1/memory/2736-368-0x0000000000440000-0x0000000000475000-memory.dmp family_berbew behavioral1/files/0x0005000000019457-376.dat family_berbew behavioral1/files/0x0005000000019491-389.dat family_berbew behavioral1/memory/2540-387-0x0000000000440000-0x0000000000475000-memory.dmp family_berbew behavioral1/files/0x00050000000194b8-398.dat family_berbew behavioral1/memory/2672-401-0x0000000000260000-0x0000000000295000-memory.dmp family_berbew behavioral1/files/0x00050000000194ef-411.dat family_berbew behavioral1/files/0x0005000000019507-420.dat family_berbew behavioral1/memory/2804-423-0x00000000002F0000-0x0000000000325000-memory.dmp family_berbew behavioral1/memory/2804-424-0x00000000002F0000-0x0000000000325000-memory.dmp family_berbew behavioral1/memory/2872-434-0x0000000000260000-0x0000000000295000-memory.dmp family_berbew behavioral1/memory/2872-435-0x0000000000260000-0x0000000000295000-memory.dmp family_berbew behavioral1/files/0x000500000001957d-432.dat family_berbew behavioral1/files/0x00050000000195e3-442.dat family_berbew behavioral1/memory/2856-446-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/memory/2856-445-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x000500000001961c-453.dat family_berbew behavioral1/files/0x000500000001961f-461.dat family_berbew behavioral1/memory/2172-464-0x0000000000440000-0x0000000000475000-memory.dmp family_berbew behavioral1/files/0x0005000000019622-476.dat family_berbew behavioral1/memory/2836-477-0x00000000002D0000-0x0000000000305000-memory.dmp family_berbew behavioral1/files/0x0005000000019626-485.dat family_berbew behavioral1/files/0x0005000000019638-498.dat family_berbew behavioral1/memory/1160-504-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x00050000000196bd-505.dat family_berbew behavioral1/files/0x00050000000199b8-518.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1536 Dcknbh32.exe 2340 Ejgcdb32.exe 2792 Enihne32.exe 2660 Enkece32.exe 2860 Fnpnndgp.exe 2548 Fjgoce32.exe 2472 Fhkpmjln.exe 2768 Fphafl32.exe 1948 Gicbeald.exe 1064 Ghhofmql.exe 1260 Gdamqndn.exe 2492 Hknach32.exe 2292 Hdhbam32.exe 2516 Hgilchkf.exe 2932 Hjjddchg.exe 784 Ieqeidnl.exe 1500 Inngcfid.exe 2988 Iggkllpe.exe 848 Idklfpon.exe 448 Igihbknb.exe 1552 Idmhkpml.exe 1020 Igkdgk32.exe 1996 Jqdipqbp.exe 2616 Jfqahgpg.exe 1708 Jbgbni32.exe 1972 Jkpgfn32.exe 1352 Jcgogk32.exe 1612 Jicgpb32.exe 2428 Jgidao32.exe 2736 Jnclnihj.exe 2740 Kbqecg32.exe 2540 Kcbakpdo.exe 2672 Kcdnao32.exe 2588 Kmmcjehm.exe 2804 Kpkofpgq.exe 2872 Kmopod32.exe 2856 Kmaled32.exe 2172 Lpphap32.exe 1036 Lmcijcbe.exe 2836 Lflmci32.exe 812 Lafndg32.exe 1160 Lhpfqama.exe 2408 Llnofpcg.exe 600 Lollckbk.exe 572 Lefdpe32.exe 1872 Mamddf32.exe 2156 Mhgmapfi.exe 408 Mpbaebdd.exe 1640 Mgljbm32.exe 1880 Mlibjc32.exe 2264 Mdpjlajk.exe 284 Mimbdhhb.exe 884 Mlkopcge.exe 1736 Mgqcmlgl.exe 1768 Miooigfo.exe 2748 Ncgdbmmp.exe 2236 Nlphkb32.exe 2708 Namqci32.exe 2564 Nhfipcid.exe 1572 Nncahjgl.exe 1040 Nejiih32.exe 2416 Nkgbbo32.exe 2024 Nnennj32.exe 1308 Nhkbkc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2976 624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe 2976 624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe 1536 Dcknbh32.exe 1536 Dcknbh32.exe 2340 Ejgcdb32.exe 2340 Ejgcdb32.exe 2792 Enihne32.exe 2792 Enihne32.exe 2660 Enkece32.exe 2660 Enkece32.exe 2860 Fnpnndgp.exe 2860 Fnpnndgp.exe 2548 Fjgoce32.exe 2548 Fjgoce32.exe 2472 Fhkpmjln.exe 2472 Fhkpmjln.exe 2768 Fphafl32.exe 2768 Fphafl32.exe 1948 Gicbeald.exe 1948 Gicbeald.exe 1064 Ghhofmql.exe 1064 Ghhofmql.exe 1260 Gdamqndn.exe 1260 Gdamqndn.exe 2492 Hknach32.exe 2492 Hknach32.exe 2292 Hdhbam32.exe 2292 Hdhbam32.exe 2516 Hgilchkf.exe 2516 Hgilchkf.exe 2932 Hjjddchg.exe 2932 Hjjddchg.exe 784 Ieqeidnl.exe 784 Ieqeidnl.exe 1500 Inngcfid.exe 1500 Inngcfid.exe 2988 Iggkllpe.exe 2988 Iggkllpe.exe 848 Idklfpon.exe 848 Idklfpon.exe 448 Igihbknb.exe 448 Igihbknb.exe 1552 Idmhkpml.exe 1552 Idmhkpml.exe 1020 Igkdgk32.exe 1020 Igkdgk32.exe 1996 Jqdipqbp.exe 1996 Jqdipqbp.exe 2616 Jfqahgpg.exe 2616 Jfqahgpg.exe 1708 Jbgbni32.exe 1708 Jbgbni32.exe 1972 Jkpgfn32.exe 1972 Jkpgfn32.exe 1352 Jcgogk32.exe 1352 Jcgogk32.exe 1612 Jicgpb32.exe 1612 Jicgpb32.exe 2428 Jgidao32.exe 2428 Jgidao32.exe 2736 Jnclnihj.exe 2736 Jnclnihj.exe 2740 Kbqecg32.exe 2740 Kbqecg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gmjcblbb.exe Gligjd32.exe File created C:\Windows\SysWOW64\Bhdbmf32.dll Qjkjle32.exe File created C:\Windows\SysWOW64\Bfccei32.exe Bcegin32.exe File created C:\Windows\SysWOW64\Inkaippf.dll Ogeigofa.exe File opened for modification C:\Windows\SysWOW64\Jdpndnei.exe Jabbhcfe.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Process not Found File created C:\Windows\SysWOW64\Jcgogk32.exe Jkpgfn32.exe File opened for modification C:\Windows\SysWOW64\Dgdpfp32.exe Dnlkmkpn.exe File created C:\Windows\SysWOW64\Gcighi32.dll Jehlkhig.exe File opened for modification C:\Windows\SysWOW64\Ajckilei.exe Process not Found File created C:\Windows\SysWOW64\Candgk32.exe Cpmhpbkc.exe File opened for modification C:\Windows\SysWOW64\Ioilkblq.exe Iknpkd32.exe File created C:\Windows\SysWOW64\Goplilpf.exe Ggicgopd.exe File created C:\Windows\SysWOW64\Jmegnj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bppoqeja.exe Bifgdk32.exe File created C:\Windows\SysWOW64\Egnhob32.dll Nmnace32.exe File created C:\Windows\SysWOW64\Dqlapaeh.dll Deollamj.exe File opened for modification C:\Windows\SysWOW64\Hahnac32.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Eklqcl32.exe Ehmdgp32.exe File created C:\Windows\SysWOW64\Kfmmfimm.dll Fnacpffh.exe File created C:\Windows\SysWOW64\Nakpkfka.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jbnjhh32.exe Process not Found File created C:\Windows\SysWOW64\Jondlhmp.dll Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Mlhkpm32.exe Mbpgggol.exe File created C:\Windows\SysWOW64\Lclgjg32.exe Lqmjnk32.exe File created C:\Windows\SysWOW64\Ecfeho32.dll Mabphn32.exe File created C:\Windows\SysWOW64\Abmbhn32.exe Albjlcao.exe File opened for modification C:\Windows\SysWOW64\Iecdhm32.exe Iahhgnkd.exe File created C:\Windows\SysWOW64\Jokbld32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe Process not Found File created C:\Windows\SysWOW64\Dlnbeh32.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Lcojjmea.exe Lnbbbffj.exe File created C:\Windows\SysWOW64\Noljjglk.exe Npijoj32.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Ehgppi32.exe File created C:\Windows\SysWOW64\Lmkibjgj.dll Gjbmelgm.exe File opened for modification C:\Windows\SysWOW64\Hfepod32.exe Process not Found File created C:\Windows\SysWOW64\Bfabnl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pamiog32.exe Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Gfhladfn.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Kmcipd32.dll Kocbkk32.exe File created C:\Windows\SysWOW64\Enbnkigh.exe Ekcaonhe.exe File opened for modification C:\Windows\SysWOW64\Lpekon32.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Gnhhch32.dll Jcpkpe32.exe File created C:\Windows\SysWOW64\Imodkadq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fplllkdc.exe Process not Found File created C:\Windows\SysWOW64\Aphjjf32.exe Process not Found File created C:\Windows\SysWOW64\Ghgfekpn.exe Process not Found File created C:\Windows\SysWOW64\Fmfnhj32.exe Fgiepced.exe File created C:\Windows\SysWOW64\Popnbp32.dll Epgphcqd.exe File created C:\Windows\SysWOW64\Hbqmnm32.dll Ecfldoph.exe File created C:\Windows\SysWOW64\Lofoed32.dll Jplkmgol.exe File opened for modification C:\Windows\SysWOW64\Jgncfcaa.exe Jcbhee32.exe File created C:\Windows\SysWOW64\Pkacpihj.exe Pgegok32.exe File opened for modification C:\Windows\SysWOW64\Eakooqih.exe Process not Found File created C:\Windows\SysWOW64\Lopfhk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kdjccf32.exe Jlckbh32.exe File created C:\Windows\SysWOW64\Nfidjbdg.exe Kfebambf.exe File created C:\Windows\SysWOW64\Oiffkkbk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dncibp32.exe Process not Found File created C:\Windows\SysWOW64\Cofnjj32.exe Clgbno32.exe File opened for modification C:\Windows\SysWOW64\Epgphcqd.exe Eniclh32.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qcpofbjl.exe File created C:\Windows\SysWOW64\Dclckn32.dll Fcbbjcif.exe File created C:\Windows\SysWOW64\Jojndakj.dll Jfcqgpfi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7920 7880 Process not Found 1395 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfdabino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Delmmigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnijp32.dll" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcijeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahcqf32.dll" Peoalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfhdfp.dll" Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpadhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbleeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafbbbmg.dll" Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqmaqbm.dll" Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" Nekbmgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhfpdl32.dll" Hjdfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpkkjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmifhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Giiglhjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecnoijbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcgapdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jplkmgol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omnipjni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll" Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqfnjifg.dll" Lklejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjbmelgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgbpebh.dll" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhdihkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilnl32.dll" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihpdoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjipenda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjkkbq.dll" Nfidjbdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbqecg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flqmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfjnla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqahn32.dll" Aqjdgmgd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 1536 2976 624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe 28 PID 2976 wrote to memory of 1536 2976 624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe 28 PID 2976 wrote to memory of 1536 2976 624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe 28 PID 2976 wrote to memory of 1536 2976 624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe 28 PID 1536 wrote to memory of 2340 1536 Dcknbh32.exe 29 PID 1536 wrote to memory of 2340 1536 Dcknbh32.exe 29 PID 1536 wrote to memory of 2340 1536 Dcknbh32.exe 29 PID 1536 wrote to memory of 2340 1536 Dcknbh32.exe 29 PID 2340 wrote to memory of 2792 2340 Ejgcdb32.exe 30 PID 2340 wrote to memory of 2792 2340 Ejgcdb32.exe 30 PID 2340 wrote to memory of 2792 2340 Ejgcdb32.exe 30 PID 2340 wrote to memory of 2792 2340 Ejgcdb32.exe 30 PID 2792 wrote to memory of 2660 2792 Enihne32.exe 31 PID 2792 wrote to memory of 2660 2792 Enihne32.exe 31 PID 2792 wrote to memory of 2660 2792 Enihne32.exe 31 PID 2792 wrote to memory of 2660 2792 Enihne32.exe 31 PID 2660 wrote to memory of 2860 2660 Enkece32.exe 32 PID 2660 wrote to memory of 2860 2660 Enkece32.exe 32 PID 2660 wrote to memory of 2860 2660 Enkece32.exe 32 PID 2660 wrote to memory of 2860 2660 Enkece32.exe 32 PID 2860 wrote to memory of 2548 2860 Fnpnndgp.exe 33 PID 2860 wrote to memory of 2548 2860 Fnpnndgp.exe 33 PID 2860 wrote to memory of 2548 2860 Fnpnndgp.exe 33 PID 2860 wrote to memory of 2548 2860 Fnpnndgp.exe 33 PID 2548 wrote to memory of 2472 2548 Fjgoce32.exe 34 PID 2548 wrote to memory of 2472 2548 Fjgoce32.exe 34 PID 2548 wrote to memory of 2472 2548 Fjgoce32.exe 34 PID 2548 wrote to memory of 2472 2548 Fjgoce32.exe 34 PID 2472 wrote to memory of 2768 2472 Fhkpmjln.exe 35 PID 2472 wrote to memory of 2768 2472 Fhkpmjln.exe 35 PID 2472 wrote to memory of 2768 2472 Fhkpmjln.exe 35 PID 2472 wrote to memory of 2768 2472 Fhkpmjln.exe 35 PID 2768 wrote to memory of 1948 2768 Fphafl32.exe 36 PID 2768 wrote to memory of 1948 2768 Fphafl32.exe 36 PID 2768 wrote to memory of 1948 2768 Fphafl32.exe 36 PID 2768 wrote to memory of 1948 2768 Fphafl32.exe 36 PID 1948 wrote to memory of 1064 1948 Gicbeald.exe 37 PID 1948 wrote to memory of 1064 1948 Gicbeald.exe 37 PID 1948 wrote to memory of 1064 1948 Gicbeald.exe 37 PID 1948 wrote to memory of 1064 1948 Gicbeald.exe 37 PID 1064 wrote to memory of 1260 1064 Ghhofmql.exe 38 PID 1064 wrote to memory of 1260 1064 Ghhofmql.exe 38 PID 1064 wrote to memory of 1260 1064 Ghhofmql.exe 38 PID 1064 wrote to memory of 1260 1064 Ghhofmql.exe 38 PID 1260 wrote to memory of 2492 1260 Gdamqndn.exe 39 PID 1260 wrote to memory of 2492 1260 Gdamqndn.exe 39 PID 1260 wrote to memory of 2492 1260 Gdamqndn.exe 39 PID 1260 wrote to memory of 2492 1260 Gdamqndn.exe 39 PID 2492 wrote to memory of 2292 2492 Hknach32.exe 40 PID 2492 wrote to memory of 2292 2492 Hknach32.exe 40 PID 2492 wrote to memory of 2292 2492 Hknach32.exe 40 PID 2492 wrote to memory of 2292 2492 Hknach32.exe 40 PID 2292 wrote to memory of 2516 2292 Hdhbam32.exe 41 PID 2292 wrote to memory of 2516 2292 Hdhbam32.exe 41 PID 2292 wrote to memory of 2516 2292 Hdhbam32.exe 41 PID 2292 wrote to memory of 2516 2292 Hdhbam32.exe 41 PID 2516 wrote to memory of 2932 2516 Hgilchkf.exe 42 PID 2516 wrote to memory of 2932 2516 Hgilchkf.exe 42 PID 2516 wrote to memory of 2932 2516 Hgilchkf.exe 42 PID 2516 wrote to memory of 2932 2516 Hgilchkf.exe 42 PID 2932 wrote to memory of 784 2932 Hjjddchg.exe 43 PID 2932 wrote to memory of 784 2932 Hjjddchg.exe 43 PID 2932 wrote to memory of 784 2932 Hjjddchg.exe 43 PID 2932 wrote to memory of 784 2932 Hjjddchg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\624b6e90386829f0135dda425b69e650_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe33⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe34⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe35⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe36⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe37⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe38⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe39⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe40⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe41⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe42⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe43⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe44⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe45⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe46⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe47⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe48⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe49⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe50⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe51⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe52⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe53⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe54⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe55⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe56⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe57⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe58⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe61⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe62⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe63⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe64⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe65⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe66⤵PID:2256
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe67⤵PID:2288
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe68⤵PID:1940
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe69⤵PID:576
-
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe70⤵PID:1668
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe71⤵PID:2336
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe72⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe73⤵PID:2028
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe74⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe75⤵PID:2196
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe76⤵PID:2424
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe77⤵PID:2688
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe78⤵PID:2696
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe79⤵PID:2532
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe81⤵PID:1976
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe82⤵PID:1060
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe83⤵PID:2300
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe84⤵PID:2212
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe85⤵PID:2924
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe86⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe87⤵PID:1140
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe88⤵PID:1400
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe89⤵PID:2376
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe90⤵PID:1724
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe91⤵PID:2124
-
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe92⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe93⤵PID:2676
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe94⤵PID:2432
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe95⤵PID:2536
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe96⤵PID:3064
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe97⤵PID:2880
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe98⤵PID:1844
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe99⤵PID:3020
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe100⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe101⤵PID:1528
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe102⤵PID:1928
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe103⤵PID:624
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe104⤵PID:1096
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe105⤵PID:1820
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe106⤵PID:1716
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe107⤵PID:1664
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe108⤵PID:2984
-
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe109⤵PID:2200
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe110⤵PID:2640
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe111⤵PID:2668
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe112⤵PID:2224
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe113⤵PID:2772
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe114⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe115⤵PID:3036
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe116⤵PID:1728
-
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe117⤵PID:2228
-
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe118⤵PID:1824
-
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe119⤵PID:844
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe120⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe121⤵PID:2044
-
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe122⤵PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-