Analysis
-
max time kernel
139s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:50
Behavioral task
behavioral1
Sample
65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
65804c31f11f465e95273a6c72bca370
-
SHA1
62700ed3cb52068ed179ed6c6065878ca91573cf
-
SHA256
89c2bd14ea1a61b0db0e85eac2fb5d64101646289bc90f83510a22e073d1e60f
-
SHA512
0df1e28057666b214edbbefaac9219a025b2a0313327215d2eb93afa83cdb4ea7934d311b2951d17d4cb840d66f632b1cffe4a5a576fa8b9f6317a37781a7f5a
-
SSDEEP
12288:oferXNUFHCXwpnsKvNA+XTvZHWuEo3oWbvrec:iZpsKv2EvZHp3oWbvrec
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aopahjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jolepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbnljqic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaogognm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abhlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejjbbkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmljgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klhgfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpmcielb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddnfop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaijak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edcqjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnocpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcdopc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2936-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000e00000001214d-5.dat family_berbew behavioral1/memory/2936-6-0x0000000000350000-0x0000000000391000-memory.dmp family_berbew behavioral1/files/0x00070000000165d4-24.dat family_berbew behavioral1/memory/2152-27-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000016a7d-33.dat family_berbew behavioral1/memory/2152-34-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x0007000000016caf-54.dat family_berbew behavioral1/memory/2868-55-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2720-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d78-61.dat family_berbew behavioral1/files/0x0006000000016db2-76.dat family_berbew behavioral1/memory/2532-88-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2168-70-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016dd1-89.dat family_berbew behavioral1/memory/1596-97-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00370000000162cc-109.dat family_berbew behavioral1/memory/2812-113-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000173b4-118.dat family_berbew behavioral1/memory/1808-131-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2812-125-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/1968-141-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000173d6-140.dat family_berbew behavioral1/files/0x00060000000175e8-147.dat family_berbew behavioral1/memory/1936-155-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00050000000186ff-160.dat family_berbew behavioral1/memory/592-168-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001870d-174.dat family_berbew behavioral1/memory/2960-181-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2308-194-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001873a-193.dat family_berbew behavioral1/files/0x000500000001878b-200.dat family_berbew behavioral1/memory/2892-223-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000018b73-222.dat family_berbew behavioral1/memory/2276-210-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2892-230-0x0000000000310000-0x0000000000351000-memory.dmp family_berbew behavioral1/files/0x0006000000018bda-233.dat family_berbew behavioral1/memory/3052-238-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019296-240.dat family_berbew behavioral1/memory/2472-244-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00050000000193c5-252.dat family_berbew behavioral1/memory/1304-259-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1304-261-0x0000000000260000-0x00000000002A1000-memory.dmp family_berbew behavioral1/files/0x00050000000193ee-262.dat family_berbew behavioral1/memory/1364-266-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001941d-273.dat family_berbew behavioral1/memory/1600-281-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2364-288-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001945f-283.dat family_berbew behavioral1/memory/2364-294-0x0000000000290000-0x00000000002D1000-memory.dmp family_berbew behavioral1/files/0x000500000001949f-295.dat family_berbew behavioral1/memory/1540-303-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/3000-354-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019628-362.dat family_berbew behavioral1/memory/3040-365-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019625-350.dat family_berbew behavioral1/memory/1588-348-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019622-338.dat family_berbew behavioral1/memory/2040-332-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001961e-329.dat family_berbew behavioral1/memory/2476-321-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001961a-316.dat family_berbew behavioral1/memory/1796-313-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019520-305.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2012 Dbbkja32.exe 2152 Dgaqgh32.exe 2720 Eihfjo32.exe 2868 Ekholjqg.exe 2168 Epfhbign.exe 2532 Eecqjpee.exe 1596 Egamfkdh.exe 2812 Globlmmj.exe 1808 Goddhg32.exe 1968 Gkkemh32.exe 1936 Henidd32.exe 592 Hogmmjfo.exe 2960 Ijgdngmf.exe 2308 Jqfffqpm.exe 2276 Jnqphi32.exe 2892 Jkdpanhg.exe 3052 Kjqccigf.exe 2472 Kcihlong.exe 1304 Lbnemk32.exe 1364 Lmcijcbe.exe 1600 Lflmci32.exe 2364 Lafndg32.exe 1540 Lahkigca.exe 1796 Ldfgebbe.exe 2476 Lkppbl32.exe 2040 Lmolnh32.exe 1588 Lefdpe32.exe 3000 Ldidkbpb.exe 3040 Mkclhl32.exe 2520 Mlmlecec.exe 2512 Nhdlkdkg.exe 2984 Nondgn32.exe 2840 Nejiih32.exe 2412 Nhiffc32.exe 1608 Nacgdhlp.exe 2756 Oklkmnbp.exe 1932 Oqkqkdne.exe 2852 Ogeigofa.exe 484 Ojfaijcc.exe 556 Omdneebf.exe 540 Oikojfgk.exe 1516 Okikfagn.exe 2300 Pgplkb32.exe 1088 Pbfpik32.exe 1856 Pnlqnl32.exe 1480 Pefijfii.exe 1736 Pclfkc32.exe 948 Pggbla32.exe 3048 Ppbfpd32.exe 2904 Pjhknm32.exe 1732 Pikkiijf.exe 2180 Qjjgclai.exe 1092 Qlkdkd32.exe 1756 Qfahhm32.exe 2744 Amkpegnj.exe 2792 Afcenm32.exe 2524 Aefeijle.exe 3032 Abjebn32.exe 2752 Aamfnkai.exe 2500 Aidnohbk.exe 1956 Albjlcao.exe 1944 Ajejgp32.exe 288 Abmbhn32.exe 2184 Amhpnkch.exe -
Loads dropped DLL 64 IoCs
pid Process 2936 65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe 2936 65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe 2012 Dbbkja32.exe 2012 Dbbkja32.exe 2152 Dgaqgh32.exe 2152 Dgaqgh32.exe 2720 Eihfjo32.exe 2720 Eihfjo32.exe 2868 Ekholjqg.exe 2868 Ekholjqg.exe 2168 Epfhbign.exe 2168 Epfhbign.exe 2532 Eecqjpee.exe 2532 Eecqjpee.exe 1596 Egamfkdh.exe 1596 Egamfkdh.exe 2812 Globlmmj.exe 2812 Globlmmj.exe 1808 Goddhg32.exe 1808 Goddhg32.exe 1968 Gkkemh32.exe 1968 Gkkemh32.exe 1936 Henidd32.exe 1936 Henidd32.exe 592 Hogmmjfo.exe 592 Hogmmjfo.exe 2960 Ijgdngmf.exe 2960 Ijgdngmf.exe 2308 Jqfffqpm.exe 2308 Jqfffqpm.exe 2276 Jnqphi32.exe 2276 Jnqphi32.exe 2892 Jkdpanhg.exe 2892 Jkdpanhg.exe 3052 Kjqccigf.exe 3052 Kjqccigf.exe 2472 Kcihlong.exe 2472 Kcihlong.exe 1304 Lbnemk32.exe 1304 Lbnemk32.exe 1364 Lmcijcbe.exe 1364 Lmcijcbe.exe 1600 Lflmci32.exe 1600 Lflmci32.exe 2364 Lafndg32.exe 2364 Lafndg32.exe 1540 Lahkigca.exe 1540 Lahkigca.exe 1796 Ldfgebbe.exe 1796 Ldfgebbe.exe 2476 Lkppbl32.exe 2476 Lkppbl32.exe 2040 Lmolnh32.exe 2040 Lmolnh32.exe 1588 Lefdpe32.exe 1588 Lefdpe32.exe 3000 Ldidkbpb.exe 3000 Ldidkbpb.exe 3040 Mkclhl32.exe 3040 Mkclhl32.exe 2520 Mlmlecec.exe 2520 Mlmlecec.exe 2512 Nhdlkdkg.exe 2512 Nhdlkdkg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbdklf32.exe Kocbkk32.exe File created C:\Windows\SysWOW64\Eelloqic.dll Cgpjlnhh.exe File created C:\Windows\SysWOW64\Akcldl32.exe Aggpdnpj.exe File created C:\Windows\SysWOW64\Fjdnlhco.exe Foojop32.exe File created C:\Windows\SysWOW64\Icfpbl32.exe Ifbphh32.exe File created C:\Windows\SysWOW64\Dlkcdc32.dll Process not Found File created C:\Windows\SysWOW64\Dlbabncd.dll Gpcoib32.exe File created C:\Windows\SysWOW64\Bpebidam.exe Babbng32.exe File created C:\Windows\SysWOW64\Njecbced.dll Hgiked32.exe File created C:\Windows\SysWOW64\Npgihifq.dll Process not Found File opened for modification C:\Windows\SysWOW64\Blkmdodf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lkhalo32.exe Process not Found File created C:\Windows\SysWOW64\Agpmcpfm.dll Process not Found File created C:\Windows\SysWOW64\Jngakhdp.dll Process not Found File created C:\Windows\SysWOW64\Ppdghpph.dll Pnmcfeia.exe File opened for modification C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Maanab32.exe Process not Found File created C:\Windows\SysWOW64\Henmen32.dll Process not Found File created C:\Windows\SysWOW64\Jjneoeeh.exe Process not Found File created C:\Windows\SysWOW64\Khlajd32.dll Mhilph32.exe File created C:\Windows\SysWOW64\Elkmmodo.exe Eklqcl32.exe File opened for modification C:\Windows\SysWOW64\Adiaommc.exe Process not Found File created C:\Windows\SysWOW64\Lekjcmbe.dll Jkjfah32.exe File created C:\Windows\SysWOW64\Igijkd32.exe Ippbnjni.exe File opened for modification C:\Windows\SysWOW64\Egikjh32.exe Eejopecj.exe File opened for modification C:\Windows\SysWOW64\Mndhnd32.exe Mjilmejf.exe File opened for modification C:\Windows\SysWOW64\Mlahdkjc.exe Process not Found File created C:\Windows\SysWOW64\Lklfdlbn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ncnlnaim.exe Process not Found File created C:\Windows\SysWOW64\Naimccpo.exe Nmnace32.exe File created C:\Windows\SysWOW64\Qmcjfmgj.dll Ddiibc32.exe File opened for modification C:\Windows\SysWOW64\Elkmmodo.exe Eklqcl32.exe File created C:\Windows\SysWOW64\Chfkee32.dll Afliclij.exe File created C:\Windows\SysWOW64\Jdgcbgmg.dll Gcppkbia.exe File created C:\Windows\SysWOW64\Dpgcip32.exe Dbafjlaa.exe File created C:\Windows\SysWOW64\Hdbcmcno.dll Qpcjeaad.exe File created C:\Windows\SysWOW64\Phgannal.exe Process not Found File opened for modification C:\Windows\SysWOW64\Llcefjgf.exe Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Qhilkege.exe Plbkfdba.exe File created C:\Windows\SysWOW64\Blfapfpg.exe Afliclij.exe File opened for modification C:\Windows\SysWOW64\Klhbdclg.exe Process not Found File created C:\Windows\SysWOW64\Piipgfbo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mkacfiga.exe Mojbaham.exe File created C:\Windows\SysWOW64\Nhmcad32.dll Process not Found File created C:\Windows\SysWOW64\Hgjood32.dll Iihfgp32.exe File opened for modification C:\Windows\SysWOW64\Kpicle32.exe Kgqocoin.exe File created C:\Windows\SysWOW64\Bnfddp32.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Cgoelh32.exe Ckhdggom.exe File opened for modification C:\Windows\SysWOW64\Kmkihbho.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Pmdmmalf.exe Pakllc32.exe File opened for modification C:\Windows\SysWOW64\Aipfmane.exe Afajafoa.exe File opened for modification C:\Windows\SysWOW64\Cbbomjnn.exe Ckhfpp32.exe File created C:\Windows\SysWOW64\Ogohdeam.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lflplbpi.exe Lihobnap.exe File created C:\Windows\SysWOW64\Mlbblc32.dll Ifbphh32.exe File created C:\Windows\SysWOW64\Lpnopm32.exe Lmpcca32.exe File opened for modification C:\Windows\SysWOW64\Jbedkhie.exe Process not Found File created C:\Windows\SysWOW64\Bhdgjb32.exe Bhajdblk.exe File created C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File created C:\Windows\SysWOW64\Imbige32.dll Process not Found File created C:\Windows\SysWOW64\Nmggllha.exe Process not Found File created C:\Windows\SysWOW64\Fpnehm32.dll Bpbmqe32.exe File opened for modification C:\Windows\SysWOW64\Ibfmmb32.exe Ifolhann.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Eihfjo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4472 2128 Process not Found 1561 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaejddnk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmobakj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll" Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ideimcdd.dll" Enqdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkjapglg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epbfmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maigcgee.dll" Fcdopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgphd32.dll" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfibh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eihfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Noohlkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphmpc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfdhnai.dll" Jqgoiokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcqaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnpem32.dll" Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efppqoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfekjn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll" Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmmab32.dll" Hhbdee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcjnfdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgohna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcijeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqbnfda.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfljfho.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfeiqmh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aniimjbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hblgnkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkcdb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coafko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll" Qqeicede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmabb32.dll" Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaakfpk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbfpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egafleqm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2012 2936 65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe 28 PID 2936 wrote to memory of 2012 2936 65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe 28 PID 2936 wrote to memory of 2012 2936 65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe 28 PID 2936 wrote to memory of 2012 2936 65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 2152 2012 Dbbkja32.exe 29 PID 2012 wrote to memory of 2152 2012 Dbbkja32.exe 29 PID 2012 wrote to memory of 2152 2012 Dbbkja32.exe 29 PID 2012 wrote to memory of 2152 2012 Dbbkja32.exe 29 PID 2152 wrote to memory of 2720 2152 Dgaqgh32.exe 30 PID 2152 wrote to memory of 2720 2152 Dgaqgh32.exe 30 PID 2152 wrote to memory of 2720 2152 Dgaqgh32.exe 30 PID 2152 wrote to memory of 2720 2152 Dgaqgh32.exe 30 PID 2720 wrote to memory of 2868 2720 Eihfjo32.exe 31 PID 2720 wrote to memory of 2868 2720 Eihfjo32.exe 31 PID 2720 wrote to memory of 2868 2720 Eihfjo32.exe 31 PID 2720 wrote to memory of 2868 2720 Eihfjo32.exe 31 PID 2868 wrote to memory of 2168 2868 Ekholjqg.exe 32 PID 2868 wrote to memory of 2168 2868 Ekholjqg.exe 32 PID 2868 wrote to memory of 2168 2868 Ekholjqg.exe 32 PID 2868 wrote to memory of 2168 2868 Ekholjqg.exe 32 PID 2168 wrote to memory of 2532 2168 Epfhbign.exe 33 PID 2168 wrote to memory of 2532 2168 Epfhbign.exe 33 PID 2168 wrote to memory of 2532 2168 Epfhbign.exe 33 PID 2168 wrote to memory of 2532 2168 Epfhbign.exe 33 PID 2532 wrote to memory of 1596 2532 Eecqjpee.exe 34 PID 2532 wrote to memory of 1596 2532 Eecqjpee.exe 34 PID 2532 wrote to memory of 1596 2532 Eecqjpee.exe 34 PID 2532 wrote to memory of 1596 2532 Eecqjpee.exe 34 PID 1596 wrote to memory of 2812 1596 Egamfkdh.exe 35 PID 1596 wrote to memory of 2812 1596 Egamfkdh.exe 35 PID 1596 wrote to memory of 2812 1596 Egamfkdh.exe 35 PID 1596 wrote to memory of 2812 1596 Egamfkdh.exe 35 PID 2812 wrote to memory of 1808 2812 Globlmmj.exe 36 PID 2812 wrote to memory of 1808 2812 Globlmmj.exe 36 PID 2812 wrote to memory of 1808 2812 Globlmmj.exe 36 PID 2812 wrote to memory of 1808 2812 Globlmmj.exe 36 PID 1808 wrote to memory of 1968 1808 Goddhg32.exe 37 PID 1808 wrote to memory of 1968 1808 Goddhg32.exe 37 PID 1808 wrote to memory of 1968 1808 Goddhg32.exe 37 PID 1808 wrote to memory of 1968 1808 Goddhg32.exe 37 PID 1968 wrote to memory of 1936 1968 Gkkemh32.exe 38 PID 1968 wrote to memory of 1936 1968 Gkkemh32.exe 38 PID 1968 wrote to memory of 1936 1968 Gkkemh32.exe 38 PID 1968 wrote to memory of 1936 1968 Gkkemh32.exe 38 PID 1936 wrote to memory of 592 1936 Henidd32.exe 39 PID 1936 wrote to memory of 592 1936 Henidd32.exe 39 PID 1936 wrote to memory of 592 1936 Henidd32.exe 39 PID 1936 wrote to memory of 592 1936 Henidd32.exe 39 PID 592 wrote to memory of 2960 592 Hogmmjfo.exe 40 PID 592 wrote to memory of 2960 592 Hogmmjfo.exe 40 PID 592 wrote to memory of 2960 592 Hogmmjfo.exe 40 PID 592 wrote to memory of 2960 592 Hogmmjfo.exe 40 PID 2960 wrote to memory of 2308 2960 Ijgdngmf.exe 41 PID 2960 wrote to memory of 2308 2960 Ijgdngmf.exe 41 PID 2960 wrote to memory of 2308 2960 Ijgdngmf.exe 41 PID 2960 wrote to memory of 2308 2960 Ijgdngmf.exe 41 PID 2308 wrote to memory of 2276 2308 Jqfffqpm.exe 42 PID 2308 wrote to memory of 2276 2308 Jqfffqpm.exe 42 PID 2308 wrote to memory of 2276 2308 Jqfffqpm.exe 42 PID 2308 wrote to memory of 2276 2308 Jqfffqpm.exe 42 PID 2276 wrote to memory of 2892 2276 Jnqphi32.exe 43 PID 2276 wrote to memory of 2892 2276 Jnqphi32.exe 43 PID 2276 wrote to memory of 2892 2276 Jnqphi32.exe 43 PID 2276 wrote to memory of 2892 2276 Jnqphi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\65804c31f11f465e95273a6c72bca370_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe33⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe34⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe35⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe36⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe37⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe38⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe39⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe40⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe41⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe43⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe44⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe46⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe47⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe48⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe49⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe50⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe51⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe52⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe53⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe54⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe55⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe56⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe57⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe59⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe60⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe62⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe63⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe64⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe65⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe66⤵PID:1196
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe67⤵PID:1912
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe68⤵PID:2268
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe69⤵PID:632
-
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe70⤵PID:2352
-
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe71⤵PID:748
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe72⤵PID:2460
-
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe73⤵PID:876
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe74⤵PID:1752
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe75⤵PID:1692
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe76⤵PID:1948
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe77⤵PID:3028
-
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe78⤵PID:1452
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe79⤵PID:2956
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe80⤵PID:1868
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe81⤵PID:2020
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe82⤵PID:1632
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe83⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe84⤵PID:1344
-
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe85⤵PID:2380
-
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe86⤵PID:1728
-
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe87⤵PID:1760
-
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe88⤵PID:1640
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe89⤵PID:2436
-
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe90⤵PID:2328
-
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe91⤵PID:1916
-
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe92⤵PID:2968
-
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe93⤵PID:2716
-
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe94⤵PID:2824
-
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe95⤵PID:1628
-
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe96⤵PID:1812
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe97⤵PID:2236
-
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe98⤵PID:1616
-
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe99⤵PID:2212
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe100⤵PID:624
-
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe101⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe102⤵PID:1568
-
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe103⤵PID:2492
-
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe104⤵PID:2416
-
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe105⤵PID:1988
-
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe106⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe107⤵PID:1828
-
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe108⤵PID:1964
-
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe109⤵PID:2804
-
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe110⤵PID:2676
-
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe111⤵PID:2568
-
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe112⤵PID:2208
-
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe113⤵PID:856
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe114⤵PID:1060
-
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe115⤵PID:2940
-
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe116⤵PID:2272
-
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe117⤵PID:1044
-
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe118⤵PID:2068
-
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe119⤵PID:1584
-
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe120⤵PID:1940
-
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe121⤵PID:2616
-
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe122⤵PID:1644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-