Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:47
Behavioral task
behavioral1
Sample
642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe
-
Size
768KB
-
MD5
642c2c5f3e7f6a0ef4ea6fe4567c4140
-
SHA1
4f9e5b2c6838b793be5529c8c19cb2b829f19921
-
SHA256
44b39a9feac6e55fe122b5e5599901c83ca052516e61e3ee6d37f655ff8881c3
-
SHA512
1dd564a0c909cfcbecddc79103d42028ebec6b9c8b7dbe9b8682ef78ff275dd7f4bacbae1e9547ae36cd4e78bc1b603a6e2ee3c2834075aa20356712ad46b9f8
-
SSDEEP
12288:A5ZvJ6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGJ:A5Dq5h3q5htaSHFaZRBEYyqmaf2qwiHP
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddliip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napbjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifhnpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhmqhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqfq32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000012286-5.dat family_berbew behavioral1/files/0x0007000000015d7b-19.dat family_berbew behavioral1/files/0x0009000000015d9f-40.dat family_berbew behavioral1/files/0x0007000000016c6f-48.dat family_berbew behavioral1/files/0x0003000000020943-5377.dat family_berbew behavioral1/files/0x000300000002099f-5489.dat family_berbew behavioral1/files/0x0003000000020997-5481.dat family_berbew behavioral1/files/0x0003000000020993-5473.dat family_berbew behavioral1/files/0x000300000002098d-5465.dat family_berbew behavioral1/files/0x0003000000020985-5457.dat family_berbew behavioral1/files/0x0003000000020980-5449.dat family_berbew behavioral1/files/0x000300000002097a-5441.dat family_berbew behavioral1/files/0x0003000000020970-5433.dat family_berbew behavioral1/files/0x0003000000020967-5425.dat family_berbew behavioral1/files/0x0003000000020963-5417.dat family_berbew behavioral1/files/0x000300000002095d-5409.dat family_berbew behavioral1/files/0x0003000000020959-5401.dat family_berbew behavioral1/files/0x0003000000020955-5393.dat family_berbew behavioral1/files/0x000300000002094a-5385.dat family_berbew behavioral1/files/0x000300000002093d-5369.dat family_berbew behavioral1/files/0x0003000000020935-5361.dat family_berbew behavioral1/files/0x000300000002092d-5353.dat family_berbew behavioral1/files/0x0003000000020922-5345.dat family_berbew behavioral1/files/0x000300000002091a-5334.dat family_berbew behavioral1/files/0x0003000000020914-5326.dat family_berbew behavioral1/files/0x000300000002090f-5318.dat family_berbew behavioral1/files/0x000300000002090b-5310.dat family_berbew behavioral1/files/0x0003000000020902-5302.dat family_berbew behavioral1/files/0x00030000000208fe-5294.dat family_berbew behavioral1/files/0x00030000000208f3-5286.dat family_berbew behavioral1/files/0x00030000000208e8-5278.dat family_berbew behavioral1/files/0x00030000000208de-5270.dat family_berbew behavioral1/files/0x00030000000208da-5262.dat family_berbew behavioral1/files/0x00030000000208d0-5246.dat family_berbew behavioral1/files/0x00030000000208d4-5254.dat family_berbew behavioral1/files/0x00030000000208c5-5238.dat family_berbew behavioral1/files/0x00030000000208b8-5230.dat family_berbew behavioral1/files/0x00030000000208aa-5222.dat family_berbew behavioral1/files/0x000300000002089f-5214.dat family_berbew behavioral1/files/0x0003000000020899-5206.dat family_berbew behavioral1/files/0x0003000000020893-5198.dat family_berbew behavioral1/files/0x000300000002088f-5190.dat family_berbew behavioral1/files/0x000300000002088b-5182.dat family_berbew behavioral1/files/0x0003000000020885-5174.dat family_berbew behavioral1/files/0x000300000002087c-5166.dat family_berbew behavioral1/files/0x0003000000020876-5158.dat family_berbew behavioral1/files/0x0003000000020872-5150.dat family_berbew behavioral1/files/0x0003000000020860-5142.dat family_berbew behavioral1/files/0x000300000002085c-5134.dat family_berbew behavioral1/files/0x0003000000020858-5126.dat family_berbew behavioral1/files/0x0003000000020854-5118.dat family_berbew behavioral1/files/0x0003000000020850-5110.dat family_berbew behavioral1/files/0x000300000002084d-5102.dat family_berbew behavioral1/files/0x0003000000020849-5094.dat family_berbew behavioral1/files/0x0003000000020846-5086.dat family_berbew behavioral1/files/0x00030000000209a3-5534.dat family_berbew behavioral1/files/0x0003000000020842-5078.dat family_berbew behavioral1/files/0x000300000002083e-5070.dat family_berbew behavioral1/files/0x000300000002083a-5062.dat family_berbew behavioral1/files/0x0003000000020834-5054.dat family_berbew behavioral1/files/0x000300000002082b-5046.dat family_berbew behavioral1/files/0x0003000000020827-5038.dat family_berbew behavioral1/files/0x0003000000020822-5030.dat family_berbew behavioral1/files/0x000300000002081b-5022.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1184 Bnbjopoi.exe 2352 Cjlgiqbk.exe 2780 Cfeddafl.exe 2868 Cbnbobin.exe 2616 Ddokpmfo.exe 2528 Dngoibmo.exe 2008 Ddagfm32.exe 1572 Djnpnc32.exe 2504 Dbehoa32.exe 2492 Ddcdkl32.exe 1988 Dgaqgh32.exe 2732 Djpmccqq.exe 1508 Dmoipopd.exe 1768 Ddeaalpg.exe 2288 Dgdmmgpj.exe 2276 Dnneja32.exe 1488 Dqlafm32.exe 3040 Dcknbh32.exe 2216 Emcbkn32.exe 2388 Ecmkghcl.exe 1524 Ejgcdb32.exe 604 Ecpgmhai.exe 568 Eilpeooq.exe 876 Eecqjpee.exe 2060 Epieghdk.exe 2312 Ebgacddo.exe 2972 Eiaiqn32.exe 2656 Eloemi32.exe 3032 Ennaieib.exe 2696 Ealnephf.exe 2956 Fhffaj32.exe 316 Fjdbnf32.exe 1948 Fmcoja32.exe 300 Fhhcgj32.exe 1128 Fnbkddem.exe 2612 Faagpp32.exe 2268 Ffnphf32.exe 1476 Facdeo32.exe 2916 Fdapak32.exe 2188 Ffpmnf32.exe 1644 Fioija32.exe 2148 Flmefm32.exe 1704 Fbgmbg32.exe 2872 Feeiob32.exe 2676 Fmlapp32.exe 3000 Gonnhhln.exe 2444 Gfefiemq.exe 2440 Ghfbqn32.exe 2568 Gpmjak32.exe 3084 Gbkgnfbd.exe 3136 Gejcjbah.exe 3188 Ghhofmql.exe 3240 Gobgcg32.exe 3292 Gaqcoc32.exe 3344 Gdopkn32.exe 3396 Gkihhhnm.exe 3448 Gacpdbej.exe 3500 Geolea32.exe 3552 Ggpimica.exe 3604 Gogangdc.exe 3656 Gaemjbcg.exe 3704 Gddifnbk.exe 3756 Hknach32.exe 3808 Hahjpbad.exe -
Loads dropped DLL 64 IoCs
pid Process 2244 642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe 2244 642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe 1184 Bnbjopoi.exe 1184 Bnbjopoi.exe 2352 Cjlgiqbk.exe 2352 Cjlgiqbk.exe 2780 Cfeddafl.exe 2780 Cfeddafl.exe 2868 Cbnbobin.exe 2868 Cbnbobin.exe 2616 Ddokpmfo.exe 2616 Ddokpmfo.exe 2528 Dngoibmo.exe 2528 Dngoibmo.exe 2008 Ddagfm32.exe 2008 Ddagfm32.exe 1572 Djnpnc32.exe 1572 Djnpnc32.exe 2504 Dbehoa32.exe 2504 Dbehoa32.exe 2492 Ddcdkl32.exe 2492 Ddcdkl32.exe 1988 Dgaqgh32.exe 1988 Dgaqgh32.exe 2732 Djpmccqq.exe 2732 Djpmccqq.exe 1508 Dmoipopd.exe 1508 Dmoipopd.exe 1768 Ddeaalpg.exe 1768 Ddeaalpg.exe 2288 Dgdmmgpj.exe 2288 Dgdmmgpj.exe 2276 Dnneja32.exe 2276 Dnneja32.exe 1488 Dqlafm32.exe 1488 Dqlafm32.exe 3040 Dcknbh32.exe 3040 Dcknbh32.exe 2216 Emcbkn32.exe 2216 Emcbkn32.exe 2388 Ecmkghcl.exe 2388 Ecmkghcl.exe 1524 Ejgcdb32.exe 1524 Ejgcdb32.exe 604 Ecpgmhai.exe 604 Ecpgmhai.exe 568 Eilpeooq.exe 568 Eilpeooq.exe 876 Eecqjpee.exe 876 Eecqjpee.exe 2060 Epieghdk.exe 2060 Epieghdk.exe 2312 Ebgacddo.exe 2312 Ebgacddo.exe 2972 Eiaiqn32.exe 2972 Eiaiqn32.exe 2656 Eloemi32.exe 2656 Eloemi32.exe 3032 Ennaieib.exe 3032 Ennaieib.exe 2696 Ealnephf.exe 2696 Ealnephf.exe 2956 Fhffaj32.exe 2956 Fhffaj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jijdkh32.dll Fidoim32.exe File created C:\Windows\SysWOW64\Nenobfak.exe Ncpcfkbg.exe File opened for modification C:\Windows\SysWOW64\Olgmcmgh.exe Ocohkh32.exe File created C:\Windows\SysWOW64\Mdeobp32.dll Ffodjh32.exe File created C:\Windows\SysWOW64\Jclpkjad.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ddkgbc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Anlmmp32.exe File created C:\Windows\SysWOW64\Beogaenl.exe Process not Found File created C:\Windows\SysWOW64\Fgnadkic.exe Fnflke32.exe File opened for modification C:\Windows\SysWOW64\Iacjjacb.exe Process not Found File created C:\Windows\SysWOW64\Goedqe32.dll Lafndg32.exe File created C:\Windows\SysWOW64\Efaibbij.exe Eccmffjf.exe File created C:\Windows\SysWOW64\Jcnllk32.dll Process not Found File created C:\Windows\SysWOW64\Olahgd32.dll Process not Found File created C:\Windows\SysWOW64\Giaidnkf.exe Process not Found File created C:\Windows\SysWOW64\Fjdbnf32.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Nkgbbo32.exe Ndmjedoi.exe File created C:\Windows\SysWOW64\Jdjfho32.dll Dcenlceh.exe File opened for modification C:\Windows\SysWOW64\Modkfi32.exe Mlfojn32.exe File opened for modification C:\Windows\SysWOW64\Magqncba.exe Moidahcn.exe File created C:\Windows\SysWOW64\Momeefin.dll Bpfeppop.exe File opened for modification C:\Windows\SysWOW64\Mcjhmcok.exe Mkndhabp.exe File created C:\Windows\SysWOW64\Jqlhdo32.exe Jnmlhchd.exe File created C:\Windows\SysWOW64\Flqmbd32.exe Fgcejm32.exe File created C:\Windows\SysWOW64\Jpigma32.exe Jlnklcej.exe File created C:\Windows\SysWOW64\Abmgjo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cjoilfek.exe Process not Found File created C:\Windows\SysWOW64\Jpopml32.dll Process not Found File created C:\Windows\SysWOW64\Qlkdkd32.exe Qimhoi32.exe File opened for modification C:\Windows\SysWOW64\Oagmmgdm.exe Oohqqlei.exe File created C:\Windows\SysWOW64\Fkdqjn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bolcma32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocjpkm32.exe Process not Found File created C:\Windows\SysWOW64\Jdbnpf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Process not Found File created C:\Windows\SysWOW64\Blgcio32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ealnephf.exe Ennaieib.exe File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Pbkbgjcc.exe Pomfkndo.exe File created C:\Windows\SysWOW64\Jnghnbki.dll Olbchn32.exe File created C:\Windows\SysWOW64\Foehfmaf.dll Palepb32.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Nncbdomg.exe File created C:\Windows\SysWOW64\Cnlpnk32.dll Process not Found File created C:\Windows\SysWOW64\Eofjhkoj.dll Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Maedhd32.exe Mofglh32.exe File created C:\Windows\SysWOW64\Gedaglad.dll Hjfcpo32.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gepafc32.exe File created C:\Windows\SysWOW64\Nkclkl32.exe Process not Found File created C:\Windows\SysWOW64\Bgjond32.dll Process not Found File created C:\Windows\SysWOW64\Flqkjo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jlelhe32.exe Iigpli32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Egpfmb32.dll Kocmim32.exe File created C:\Windows\SysWOW64\Bdfooh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ggpimica.exe Geolea32.exe File opened for modification C:\Windows\SysWOW64\Aefeijle.exe Abhimnma.exe File opened for modification C:\Windows\SysWOW64\Pdakniag.exe Ppfomk32.exe File created C:\Windows\SysWOW64\Kfggkc32.exe Process not Found File created C:\Windows\SysWOW64\Ncaean32.dll Process not Found File created C:\Windows\SysWOW64\Cdamao32.exe Process not Found File created C:\Windows\SysWOW64\Lmikibio.exe Linphc32.exe File opened for modification C:\Windows\SysWOW64\Inlkik32.exe Ijqoilii.exe File created C:\Windows\SysWOW64\Jfojpn32.exe Process not Found File created C:\Windows\SysWOW64\Bpgljfbl.exe Aoepcn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eniclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclcijfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amqccfed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bajpcflf.dll" Abpjjeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmqokqf.dll" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obknqjig.dll" Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaheie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eccpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchkhe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmcgmjk.dll" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll" Okanklik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmfkfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghakg32.dll" Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffgkhmc.dll" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnqjhh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnici32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohibdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdimmi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfldmeci.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kegqdqbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfaeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opppqdgk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocohkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfqmi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 1184 2244 642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 1184 2244 642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 1184 2244 642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 1184 2244 642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe 28 PID 1184 wrote to memory of 2352 1184 Bnbjopoi.exe 29 PID 1184 wrote to memory of 2352 1184 Bnbjopoi.exe 29 PID 1184 wrote to memory of 2352 1184 Bnbjopoi.exe 29 PID 1184 wrote to memory of 2352 1184 Bnbjopoi.exe 29 PID 2352 wrote to memory of 2780 2352 Cjlgiqbk.exe 30 PID 2352 wrote to memory of 2780 2352 Cjlgiqbk.exe 30 PID 2352 wrote to memory of 2780 2352 Cjlgiqbk.exe 30 PID 2352 wrote to memory of 2780 2352 Cjlgiqbk.exe 30 PID 2780 wrote to memory of 2868 2780 Cfeddafl.exe 31 PID 2780 wrote to memory of 2868 2780 Cfeddafl.exe 31 PID 2780 wrote to memory of 2868 2780 Cfeddafl.exe 31 PID 2780 wrote to memory of 2868 2780 Cfeddafl.exe 31 PID 2868 wrote to memory of 2616 2868 Cbnbobin.exe 32 PID 2868 wrote to memory of 2616 2868 Cbnbobin.exe 32 PID 2868 wrote to memory of 2616 2868 Cbnbobin.exe 32 PID 2868 wrote to memory of 2616 2868 Cbnbobin.exe 32 PID 2616 wrote to memory of 2528 2616 Ddokpmfo.exe 33 PID 2616 wrote to memory of 2528 2616 Ddokpmfo.exe 33 PID 2616 wrote to memory of 2528 2616 Ddokpmfo.exe 33 PID 2616 wrote to memory of 2528 2616 Ddokpmfo.exe 33 PID 2528 wrote to memory of 2008 2528 Dngoibmo.exe 34 PID 2528 wrote to memory of 2008 2528 Dngoibmo.exe 34 PID 2528 wrote to memory of 2008 2528 Dngoibmo.exe 34 PID 2528 wrote to memory of 2008 2528 Dngoibmo.exe 34 PID 2008 wrote to memory of 1572 2008 Ddagfm32.exe 35 PID 2008 wrote to memory of 1572 2008 Ddagfm32.exe 35 PID 2008 wrote to memory of 1572 2008 Ddagfm32.exe 35 PID 2008 wrote to memory of 1572 2008 Ddagfm32.exe 35 PID 1572 wrote to memory of 2504 1572 Djnpnc32.exe 36 PID 1572 wrote to memory of 2504 1572 Djnpnc32.exe 36 PID 1572 wrote to memory of 2504 1572 Djnpnc32.exe 36 PID 1572 wrote to memory of 2504 1572 Djnpnc32.exe 36 PID 2504 wrote to memory of 2492 2504 Dbehoa32.exe 37 PID 2504 wrote to memory of 2492 2504 Dbehoa32.exe 37 PID 2504 wrote to memory of 2492 2504 Dbehoa32.exe 37 PID 2504 wrote to memory of 2492 2504 Dbehoa32.exe 37 PID 2492 wrote to memory of 1988 2492 Ddcdkl32.exe 38 PID 2492 wrote to memory of 1988 2492 Ddcdkl32.exe 38 PID 2492 wrote to memory of 1988 2492 Ddcdkl32.exe 38 PID 2492 wrote to memory of 1988 2492 Ddcdkl32.exe 38 PID 1988 wrote to memory of 2732 1988 Dgaqgh32.exe 39 PID 1988 wrote to memory of 2732 1988 Dgaqgh32.exe 39 PID 1988 wrote to memory of 2732 1988 Dgaqgh32.exe 39 PID 1988 wrote to memory of 2732 1988 Dgaqgh32.exe 39 PID 2732 wrote to memory of 1508 2732 Djpmccqq.exe 40 PID 2732 wrote to memory of 1508 2732 Djpmccqq.exe 40 PID 2732 wrote to memory of 1508 2732 Djpmccqq.exe 40 PID 2732 wrote to memory of 1508 2732 Djpmccqq.exe 40 PID 1508 wrote to memory of 1768 1508 Dmoipopd.exe 41 PID 1508 wrote to memory of 1768 1508 Dmoipopd.exe 41 PID 1508 wrote to memory of 1768 1508 Dmoipopd.exe 41 PID 1508 wrote to memory of 1768 1508 Dmoipopd.exe 41 PID 1768 wrote to memory of 2288 1768 Ddeaalpg.exe 42 PID 1768 wrote to memory of 2288 1768 Ddeaalpg.exe 42 PID 1768 wrote to memory of 2288 1768 Ddeaalpg.exe 42 PID 1768 wrote to memory of 2288 1768 Ddeaalpg.exe 42 PID 2288 wrote to memory of 2276 2288 Dgdmmgpj.exe 43 PID 2288 wrote to memory of 2276 2288 Dgdmmgpj.exe 43 PID 2288 wrote to memory of 2276 2288 Dgdmmgpj.exe 43 PID 2288 wrote to memory of 2276 2288 Dgdmmgpj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\642c2c5f3e7f6a0ef4ea6fe4567c4140_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe33⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe34⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe35⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe36⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe38⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe39⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe40⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe41⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe42⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe43⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe44⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe45⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe46⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe47⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe48⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe50⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe52⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe53⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe54⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe55⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe56⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe57⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe58⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe60⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe61⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe62⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe63⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe64⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe65⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe66⤵PID:3860
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe67⤵PID:3912
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe68⤵PID:3964
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe69⤵
- Drops file in System32 directory
PID:4016 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe70⤵
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe71⤵PID:792
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe72⤵PID:868
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe73⤵PID:1624
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe74⤵PID:2572
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe76⤵PID:2704
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe77⤵PID:2896
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe78⤵PID:336
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe79⤵PID:2964
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe80⤵PID:3092
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe81⤵PID:3116
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe82⤵PID:3168
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe83⤵PID:3228
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe84⤵PID:3288
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe85⤵PID:3324
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe86⤵PID:3412
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe87⤵PID:3516
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe88⤵
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe89⤵PID:2380
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe90⤵PID:3664
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe91⤵PID:3732
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe92⤵PID:3776
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe93⤵PID:3836
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe94⤵PID:3900
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe95⤵PID:3984
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe96⤵PID:3996
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe97⤵PID:668
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe98⤵PID:1368
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe99⤵PID:2196
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe100⤵PID:2384
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe101⤵PID:2832
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe102⤵PID:2548
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe103⤵PID:1300
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe104⤵PID:1564
-
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe105⤵PID:548
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe106⤵PID:3212
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe107⤵PID:3280
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe108⤵PID:3376
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe109⤵PID:3484
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe110⤵PID:3596
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe111⤵PID:3612
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe112⤵PID:3752
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe113⤵PID:2928
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe114⤵PID:3780
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe115⤵PID:3944
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe116⤵PID:4060
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe117⤵PID:3068
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe118⤵PID:1348
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe119⤵PID:1860
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe120⤵PID:2744
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe121⤵PID:2960
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe122⤵PID:1036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-