Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:56
Behavioral task
behavioral1
Sample
67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe
-
Size
548KB
-
MD5
67eaa493590bbf2d97a0390e8e2b6a70
-
SHA1
20eeb2e9b9d414675c0d6f1b02de159a6e21d20b
-
SHA256
502a0009fd84852c1ce5c1db38eb3393c85a0b2e1541a0a032f853e15865a74b
-
SHA512
d34a348b0c18531754c33deb8a6c22bbe166a167e246329c060d7f364ef2a5716b43b070a87565aa5ec1905e0afc82508e44af5885fba56cd2f111768c31d74e
-
SSDEEP
12288:ntAvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:nVq5htaSHFaZRBEYyqmaf2qwiHPKgRCW
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnkpobc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necogkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfaocal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgqpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjghhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qogbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphjcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihqgbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekhacbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieagbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcpac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdgfelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlkgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhjlbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cakqgeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oioggmmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioaifhid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegbheiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaloddnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjegqif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difnaqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcenlceh.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d00000001226c-5.dat family_berbew behavioral1/files/0x00080000000153fd-24.dat family_berbew behavioral1/files/0x0007000000015679-33.dat family_berbew behavioral1/files/0x0007000000015bc7-54.dat family_berbew behavioral1/files/0x0008000000015f54-61.dat family_berbew behavioral1/files/0x00060000000160f3-74.dat family_berbew behavioral1/files/0x00060000000162cc-87.dat family_berbew behavioral1/files/0x0038000000014ca5-100.dat family_berbew behavioral1/files/0x00060000000165d4-114.dat family_berbew behavioral1/files/0x0006000000016a7d-132.dat family_berbew behavioral1/files/0x0006000000016c5d-141.dat family_berbew behavioral1/files/0x0006000000016caf-155.dat family_berbew behavioral1/files/0x0006000000016d05-168.dat family_berbew behavioral1/files/0x0006000000016d22-188.dat family_berbew behavioral1/files/0x0006000000016d33-195.dat family_berbew behavioral1/files/0x0006000000016d44-216.dat family_berbew behavioral1/files/0x0006000000016d55-228.dat family_berbew behavioral1/files/0x0006000000016d6c-235.dat family_berbew behavioral1/files/0x0006000000016d78-245.dat family_berbew behavioral1/files/0x0006000000016db2-254.dat family_berbew behavioral1/files/0x0006000000016dd1-265.dat family_berbew behavioral1/files/0x000600000001720f-272.dat family_berbew behavioral1/files/0x00060000000173d3-281.dat family_berbew behavioral1/files/0x0006000000017568-290.dat family_berbew behavioral1/files/0x00060000000175f4-303.dat family_berbew behavioral1/memory/1544-308-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/memory/1544-307-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0005000000018701-312.dat family_berbew behavioral1/memory/2184-327-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew behavioral1/files/0x0005000000018711-324.dat family_berbew behavioral1/memory/2184-323-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew behavioral1/files/0x0005000000018784-335.dat family_berbew behavioral1/memory/3064-338-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x00050000000187a2-346.dat family_berbew behavioral1/memory/1220-350-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0006000000018bc6-355.dat family_berbew behavioral1/files/0x00060000000190d6-368.dat family_berbew behavioral1/memory/2336-373-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/memory/2336-372-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0005000000019349-377.dat family_berbew behavioral1/files/0x00050000000193d2-388.dat family_berbew behavioral1/files/0x000500000001941b-399.dat family_berbew behavioral1/files/0x0005000000019437-412.dat family_berbew behavioral1/files/0x0005000000019470-421.dat family_berbew behavioral1/files/0x000500000001950d-433.dat family_berbew behavioral1/memory/2860-439-0x0000000000270000-0x00000000002A3000-memory.dmp family_berbew behavioral1/files/0x0005000000019590-443.dat family_berbew behavioral1/files/0x000500000001961c-455.dat family_berbew behavioral1/memory/1684-460-0x0000000000300000-0x0000000000333000-memory.dmp family_berbew behavioral1/files/0x0005000000019620-456.dat family_berbew behavioral1/files/0x0005000000019624-475.dat family_berbew behavioral1/files/0x0005000000019626-486.dat family_berbew behavioral1/files/0x000500000001962a-496.dat family_berbew behavioral1/memory/2280-500-0x00000000002D0000-0x0000000000303000-memory.dmp family_berbew behavioral1/memory/2280-499-0x00000000002D0000-0x0000000000303000-memory.dmp family_berbew behavioral1/files/0x000500000001962e-506.dat family_berbew behavioral1/files/0x0005000000019632-520.dat family_berbew behavioral1/files/0x0005000000019679-529.dat family_berbew behavioral1/files/0x00050000000196bb-542.dat family_berbew behavioral1/files/0x0005000000019702-552.dat family_berbew behavioral1/files/0x0005000000019716-564.dat family_berbew behavioral1/files/0x0005000000019900-575.dat family_berbew behavioral1/files/0x0005000000019962-587.dat family_berbew behavioral1/files/0x0005000000019c66-597.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1804 Bkaqmeah.exe 2600 Banepo32.exe 2716 Bpcbqk32.exe 2940 Cljcelan.exe 1252 Cgbdhd32.exe 2516 Cjbmjplb.exe 2804 Chhjkl32.exe 2608 Dgmglh32.exe 1668 Dgodbh32.exe 1072 Dqhhknjp.exe 1968 Djbiicon.exe 1852 Dfijnd32.exe 1720 Ekholjqg.exe 2056 Emhlfmgj.exe 2968 Egdilkbf.exe 444 Ebinic32.exe 2380 Fpdhklkl.exe 628 Ffnphf32.exe 2464 Fdapak32.exe 1964 Ffpmnf32.exe 1800 Flmefm32.exe 1956 Fddmgjpo.exe 952 Ffbicfoc.exe 1544 Globlmmj.exe 2320 Gpknlk32.exe 2184 Glaoalkh.exe 3064 Gejcjbah.exe 1220 Gldkfl32.exe 2788 Ghkllmoi.exe 2336 Gkihhhnm.exe 2944 Gkkemh32.exe 2668 Gmjaic32.exe 2772 Hiqbndpb.exe 2568 Hahjpbad.exe 2852 Hgdbhi32.exe 2860 Hckcmjep.exe 2564 Hcnpbi32.exe 1684 Hellne32.exe 1092 Hacmcfge.exe 1044 Hjjddchg.exe 2856 Icbimi32.exe 2280 Idceea32.exe 2488 Ifcbodli.exe 484 Igdogl32.exe 1028 Iokfhi32.exe 1700 Ihdkao32.exe 1132 Ijeghgoh.exe 2180 Iblpjdpk.exe 1872 Icmlam32.exe 2272 Ijgdngmf.exe 988 Iqalka32.exe 1500 Icpigm32.exe 872 Jmhmpb32.exe 1736 Jcbellac.exe 2612 Jiondcpk.exe 2752 Jqfffqpm.exe 2784 Jbgbni32.exe 2500 Jmmfkafa.exe 1404 Jokcgmee.exe 2576 Jfekcg32.exe 1068 Jonplmcb.exe 1996 Jbllihbf.exe 2808 Jgidao32.exe 2156 Jnclnihj.exe -
Loads dropped DLL 64 IoCs
pid Process 2108 67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe 2108 67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe 1804 Bkaqmeah.exe 1804 Bkaqmeah.exe 2600 Banepo32.exe 2600 Banepo32.exe 2716 Bpcbqk32.exe 2716 Bpcbqk32.exe 2940 Cljcelan.exe 2940 Cljcelan.exe 1252 Cgbdhd32.exe 1252 Cgbdhd32.exe 2516 Cjbmjplb.exe 2516 Cjbmjplb.exe 2804 Chhjkl32.exe 2804 Chhjkl32.exe 2608 Dgmglh32.exe 2608 Dgmglh32.exe 1668 Dgodbh32.exe 1668 Dgodbh32.exe 1072 Dqhhknjp.exe 1072 Dqhhknjp.exe 1968 Djbiicon.exe 1968 Djbiicon.exe 1852 Dfijnd32.exe 1852 Dfijnd32.exe 1720 Ekholjqg.exe 1720 Ekholjqg.exe 2056 Emhlfmgj.exe 2056 Emhlfmgj.exe 2968 Egdilkbf.exe 2968 Egdilkbf.exe 444 Ebinic32.exe 444 Ebinic32.exe 2380 Fpdhklkl.exe 2380 Fpdhklkl.exe 628 Ffnphf32.exe 628 Ffnphf32.exe 2464 Fdapak32.exe 2464 Fdapak32.exe 1964 Ffpmnf32.exe 1964 Ffpmnf32.exe 1800 Flmefm32.exe 1800 Flmefm32.exe 1956 Fddmgjpo.exe 1956 Fddmgjpo.exe 952 Ffbicfoc.exe 952 Ffbicfoc.exe 1544 Globlmmj.exe 1544 Globlmmj.exe 2320 Gpknlk32.exe 2320 Gpknlk32.exe 2184 Glaoalkh.exe 2184 Glaoalkh.exe 3064 Gejcjbah.exe 3064 Gejcjbah.exe 1220 Gldkfl32.exe 1220 Gldkfl32.exe 2788 Ghkllmoi.exe 2788 Ghkllmoi.exe 2336 Gkihhhnm.exe 2336 Gkihhhnm.exe 2944 Gkkemh32.exe 2944 Gkkemh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kiebec32.dll Ocnfbo32.exe File opened for modification C:\Windows\SysWOW64\Gmpgio32.exe Gdgcpi32.exe File created C:\Windows\SysWOW64\Qlgnpgja.dll Kdnild32.exe File created C:\Windows\SysWOW64\Gjffnf32.dll Kdbbgdjj.exe File opened for modification C:\Windows\SysWOW64\Pdaheq32.exe Pngphgbf.exe File created C:\Windows\SysWOW64\Ibkhnd32.dll Pebpkk32.exe File created C:\Windows\SysWOW64\Aebmjo32.exe Process not Found File created C:\Windows\SysWOW64\Cbgjqo32.exe Cmjbhh32.exe File opened for modification C:\Windows\SysWOW64\Hdiejfej.exe Hicqmmfc.exe File opened for modification C:\Windows\SysWOW64\Kglcogeo.exe Kfjggo32.exe File created C:\Windows\SysWOW64\Mpbdnk32.exe Mfjoeeeh.exe File created C:\Windows\SysWOW64\Gmpjagfa.exe Ggcaiqhj.exe File opened for modification C:\Windows\SysWOW64\Lgmeid32.exe Lqcmmjko.exe File created C:\Windows\SysWOW64\Nqcglmgd.dll Eijdkcgn.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Behnnm32.exe File opened for modification C:\Windows\SysWOW64\Hpefdl32.exe Hdnepk32.exe File created C:\Windows\SysWOW64\Lihcil32.dll Dkkbkp32.exe File opened for modification C:\Windows\SysWOW64\Hppfog32.exe Hjcmgp32.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Process not Found File created C:\Windows\SysWOW64\Pdobjm32.dll Ghelfg32.exe File created C:\Windows\SysWOW64\Qfclkmib.dll Ekknjcfh.exe File created C:\Windows\SysWOW64\Kjoppjjm.dll Gmpjagfa.exe File created C:\Windows\SysWOW64\Khdlmj32.dll Ijdqna32.exe File created C:\Windows\SysWOW64\Cjeapkom.dll Ikefkcmo.exe File opened for modification C:\Windows\SysWOW64\Cfhiplmp.exe Cdjmcpnl.exe File created C:\Windows\SysWOW64\Mnbpjb32.exe Miehak32.exe File created C:\Windows\SysWOW64\Ndqkleln.exe Nabopjmj.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Gejcjbah.exe File opened for modification C:\Windows\SysWOW64\Lfpclh32.exe Lgmcqkkh.exe File created C:\Windows\SysWOW64\Difnaqih.exe Daofpchf.exe File created C:\Windows\SysWOW64\Jedcpi32.exe Jojkco32.exe File created C:\Windows\SysWOW64\Kaaijdgn.exe Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Nfidjbdg.exe Nmqpam32.exe File opened for modification C:\Windows\SysWOW64\Afiglkle.exe Ackkppma.exe File created C:\Windows\SysWOW64\Nfidjbdg.exe Nmqpam32.exe File created C:\Windows\SysWOW64\Jkfalhjp.dll Kkaiqk32.exe File opened for modification C:\Windows\SysWOW64\Fbbofjnh.exe Fkhgip32.exe File opened for modification C:\Windows\SysWOW64\Afcenm32.exe Anlmmp32.exe File created C:\Windows\SysWOW64\Iipiljgf.exe Ifampo32.exe File opened for modification C:\Windows\SysWOW64\Dgbeiiqe.exe Dddimn32.exe File opened for modification C:\Windows\SysWOW64\Hpphhp32.exe Hifpke32.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Geemiobo.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Jjomgo32.exe Jgqpkc32.exe File created C:\Windows\SysWOW64\Bgkenb32.dll Oajlkojn.exe File created C:\Windows\SysWOW64\Mkndhabp.exe Lddlkg32.exe File created C:\Windows\SysWOW64\Limilm32.dll Kahojc32.exe File created C:\Windows\SysWOW64\Gbgffb32.dll Kqfdnljm.exe File opened for modification C:\Windows\SysWOW64\Ldjpbign.exe Kdhcli32.exe File created C:\Windows\SysWOW64\Cbiiog32.exe Ciaefa32.exe File created C:\Windows\SysWOW64\Kkolkk32.exe Kkolkk32.exe File created C:\Windows\SysWOW64\Fciang32.dll Jcgapdeb.exe File created C:\Windows\SysWOW64\Adklhjib.dll Lqmjnk32.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Knnkpobc.exe Kllnhg32.exe File created C:\Windows\SysWOW64\Gkglnm32.exe Ggkqmoma.exe File created C:\Windows\SysWOW64\Lhiakf32.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Onfoin32.exe Ndqkleln.exe File created C:\Windows\SysWOW64\Lliflp32.exe Leonofpp.exe File opened for modification C:\Windows\SysWOW64\Konndhmb.exe Knmamp32.exe File created C:\Windows\SysWOW64\Odgodl32.exe Ommfga32.exe File opened for modification C:\Windows\SysWOW64\Kfnmpn32.exe Kpadhg32.exe File opened for modification C:\Windows\SysWOW64\Mmogmjmn.exe Mfdopp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2844 3764 Process not Found 1106 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmikde32.dll" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moancj32.dll" Fbbofjnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpcihcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdpnb32.dll" Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjppn32.dll" Ddfcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meiapfab.dll" Mnojacgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcegq32.dll" Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflplbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgemkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boadnkpf.dll" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfeceln.dll" Eamilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgiefej.dll" Lnhdqdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkcgima.dll" Noacef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodklh32.dll" Bekmle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejiak32.dll" Gehhmkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indgjihl.dll" Jnmlhchd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepdfnja.dll" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpkibo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpphhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iompkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjifhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicqmmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eligcnhi.dll" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphgph32.dll" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oniefifl.dll" Bgqcjlhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Mcbjgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elcdcgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbonei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkmqdpce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcnegnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giieco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npngheao.dll" Eogjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjkjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkbaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mapjmehi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1804 2108 67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 1804 2108 67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 1804 2108 67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 1804 2108 67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe 28 PID 1804 wrote to memory of 2600 1804 Bkaqmeah.exe 29 PID 1804 wrote to memory of 2600 1804 Bkaqmeah.exe 29 PID 1804 wrote to memory of 2600 1804 Bkaqmeah.exe 29 PID 1804 wrote to memory of 2600 1804 Bkaqmeah.exe 29 PID 2600 wrote to memory of 2716 2600 Banepo32.exe 30 PID 2600 wrote to memory of 2716 2600 Banepo32.exe 30 PID 2600 wrote to memory of 2716 2600 Banepo32.exe 30 PID 2600 wrote to memory of 2716 2600 Banepo32.exe 30 PID 2716 wrote to memory of 2940 2716 Bpcbqk32.exe 31 PID 2716 wrote to memory of 2940 2716 Bpcbqk32.exe 31 PID 2716 wrote to memory of 2940 2716 Bpcbqk32.exe 31 PID 2716 wrote to memory of 2940 2716 Bpcbqk32.exe 31 PID 2940 wrote to memory of 1252 2940 Cljcelan.exe 32 PID 2940 wrote to memory of 1252 2940 Cljcelan.exe 32 PID 2940 wrote to memory of 1252 2940 Cljcelan.exe 32 PID 2940 wrote to memory of 1252 2940 Cljcelan.exe 32 PID 1252 wrote to memory of 2516 1252 Cgbdhd32.exe 33 PID 1252 wrote to memory of 2516 1252 Cgbdhd32.exe 33 PID 1252 wrote to memory of 2516 1252 Cgbdhd32.exe 33 PID 1252 wrote to memory of 2516 1252 Cgbdhd32.exe 33 PID 2516 wrote to memory of 2804 2516 Cjbmjplb.exe 34 PID 2516 wrote to memory of 2804 2516 Cjbmjplb.exe 34 PID 2516 wrote to memory of 2804 2516 Cjbmjplb.exe 34 PID 2516 wrote to memory of 2804 2516 Cjbmjplb.exe 34 PID 2804 wrote to memory of 2608 2804 Chhjkl32.exe 35 PID 2804 wrote to memory of 2608 2804 Chhjkl32.exe 35 PID 2804 wrote to memory of 2608 2804 Chhjkl32.exe 35 PID 2804 wrote to memory of 2608 2804 Chhjkl32.exe 35 PID 2608 wrote to memory of 1668 2608 Dgmglh32.exe 36 PID 2608 wrote to memory of 1668 2608 Dgmglh32.exe 36 PID 2608 wrote to memory of 1668 2608 Dgmglh32.exe 36 PID 2608 wrote to memory of 1668 2608 Dgmglh32.exe 36 PID 1668 wrote to memory of 1072 1668 Dgodbh32.exe 37 PID 1668 wrote to memory of 1072 1668 Dgodbh32.exe 37 PID 1668 wrote to memory of 1072 1668 Dgodbh32.exe 37 PID 1668 wrote to memory of 1072 1668 Dgodbh32.exe 37 PID 1072 wrote to memory of 1968 1072 Dqhhknjp.exe 38 PID 1072 wrote to memory of 1968 1072 Dqhhknjp.exe 38 PID 1072 wrote to memory of 1968 1072 Dqhhknjp.exe 38 PID 1072 wrote to memory of 1968 1072 Dqhhknjp.exe 38 PID 1968 wrote to memory of 1852 1968 Djbiicon.exe 39 PID 1968 wrote to memory of 1852 1968 Djbiicon.exe 39 PID 1968 wrote to memory of 1852 1968 Djbiicon.exe 39 PID 1968 wrote to memory of 1852 1968 Djbiicon.exe 39 PID 1852 wrote to memory of 1720 1852 Dfijnd32.exe 40 PID 1852 wrote to memory of 1720 1852 Dfijnd32.exe 40 PID 1852 wrote to memory of 1720 1852 Dfijnd32.exe 40 PID 1852 wrote to memory of 1720 1852 Dfijnd32.exe 40 PID 1720 wrote to memory of 2056 1720 Ekholjqg.exe 41 PID 1720 wrote to memory of 2056 1720 Ekholjqg.exe 41 PID 1720 wrote to memory of 2056 1720 Ekholjqg.exe 41 PID 1720 wrote to memory of 2056 1720 Ekholjqg.exe 41 PID 2056 wrote to memory of 2968 2056 Emhlfmgj.exe 42 PID 2056 wrote to memory of 2968 2056 Emhlfmgj.exe 42 PID 2056 wrote to memory of 2968 2056 Emhlfmgj.exe 42 PID 2056 wrote to memory of 2968 2056 Emhlfmgj.exe 42 PID 2968 wrote to memory of 444 2968 Egdilkbf.exe 43 PID 2968 wrote to memory of 444 2968 Egdilkbf.exe 43 PID 2968 wrote to memory of 444 2968 Egdilkbf.exe 43 PID 2968 wrote to memory of 444 2968 Egdilkbf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\67eaa493590bbf2d97a0390e8e2b6a70_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe34⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe36⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe37⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe38⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe39⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe40⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe41⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe42⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe43⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe44⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe45⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe46⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe47⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe48⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe49⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe50⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe51⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe52⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe53⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe54⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe55⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe57⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe58⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe59⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe61⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe62⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe63⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe64⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe66⤵PID:2104
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe67⤵PID:1484
-
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe68⤵PID:2088
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe69⤵PID:980
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe70⤵PID:2448
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe71⤵PID:1624
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe72⤵PID:712
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe73⤵PID:2188
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe74⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe75⤵PID:3016
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe76⤵PID:2956
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe77⤵PID:1908
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe78⤵PID:2560
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe80⤵PID:304
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe81⤵PID:2160
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe82⤵PID:1828
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe83⤵PID:1768
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe84⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe85⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe86⤵PID:996
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe87⤵PID:1680
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe88⤵PID:1944
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe89⤵PID:2116
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe90⤵PID:1352
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe91⤵PID:1608
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe92⤵PID:1752
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe93⤵PID:2648
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe94⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe95⤵PID:1664
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe96⤵PID:2764
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe97⤵PID:2868
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe98⤵PID:2168
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe99⤵PID:2240
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe100⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe101⤵PID:1448
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe102⤵PID:1492
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe103⤵PID:1820
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe104⤵PID:2020
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe105⤵PID:788
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe106⤵PID:2980
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe107⤵PID:844
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe108⤵PID:1612
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe109⤵PID:2712
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe110⤵PID:2524
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe111⤵PID:2080
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe112⤵PID:2896
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe113⤵PID:1812
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe114⤵PID:1912
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe115⤵PID:1920
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe116⤵PID:1472
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe117⤵PID:380
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe118⤵PID:1932
-
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe119⤵PID:2332
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe120⤵PID:3008
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe121⤵PID:2092
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe122⤵PID:2732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-