Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 18:15
Behavioral task
behavioral1
Sample
3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe
-
Size
482KB
-
MD5
3e62ac6a2b0fd42de69fbe3133291af0
-
SHA1
6f3607dbc5641b15053b247f2c905b25b89ced39
-
SHA256
3f42903da91784e50d2682a55d0a275c9a2b5f473377b415a48b2f2e7ac76868
-
SHA512
ec17f9093c56f8993a6c87890471aff2d3a8852665acd5c4c4880fe0029a0587ad13a40cdd4a2dc3d50668a626d4442701c0749d21823dbf2514d9b3eac3e810
-
SSDEEP
12288:lmJSJSLrpV6yYP4rbpV6yYPg058KpV6yYP8OThj:GSJSLrW4XWleKW8OThj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakgefqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmnofp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amjpgdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmafngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifmocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kolhdbjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noojdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojeomee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bopknhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbnmgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmdkjmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeoek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beogaenl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlhddh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfjbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Appbcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgdmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qinjgbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfccei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daacecfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdehdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpchfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkiicmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaqmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egikjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emgkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdendpbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghckj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhfnkqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opjkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Deeqch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Illbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koipglep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijfch32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b000000014e3d-5.dat family_berbew behavioral1/files/0x0008000000015a2d-18.dat family_berbew behavioral1/files/0x0007000000015c0d-31.dat family_berbew behavioral1/files/0x0009000000015c2f-46.dat family_berbew behavioral1/files/0x0006000000016d55-61.dat family_berbew behavioral1/files/0x0006000000016d84-83.dat family_berbew behavioral1/files/0x0006000000016e56-89.dat family_berbew behavioral1/memory/436-97-0x0000000000220000-0x0000000000259000-memory.dmp family_berbew behavioral1/files/0x0006000000017090-105.dat family_berbew behavioral1/files/0x0005000000018698-122.dat family_berbew behavioral1/files/0x0006000000018ae2-142.dat family_berbew behavioral1/files/0x0006000000018b15-150.dat family_berbew behavioral1/files/0x0006000000018b37-167.dat family_berbew behavioral1/files/0x0006000000018b4a-184.dat family_berbew behavioral1/files/0x0006000000018b73-204.dat family_berbew behavioral1/files/0x0006000000018ba2-219.dat family_berbew behavioral1/memory/528-222-0x0000000000220000-0x0000000000259000-memory.dmp family_berbew behavioral1/files/0x00050000000192c9-238.dat family_berbew behavioral1/files/0x000500000001931b-247.dat family_berbew behavioral1/memory/3048-250-0x00000000001B0000-0x00000000001E9000-memory.dmp family_berbew behavioral1/files/0x0005000000019368-263.dat family_berbew behavioral1/files/0x000500000001939b-274.dat family_berbew behavioral1/files/0x0005000000019410-289.dat family_berbew behavioral1/files/0x000500000001946f-298.dat family_berbew behavioral1/files/0x0005000000019485-312.dat family_berbew behavioral1/files/0x00040000000194d6-323.dat family_berbew behavioral1/files/0x00040000000194dc-336.dat family_berbew behavioral1/files/0x00050000000194ea-344.dat family_berbew behavioral1/files/0x00050000000194ef-358.dat family_berbew behavioral1/files/0x00050000000194f4-367.dat family_berbew behavioral1/files/0x0005000000019521-378.dat family_berbew behavioral1/files/0x0005000000019570-390.dat family_berbew behavioral1/files/0x000500000001959e-402.dat family_berbew behavioral1/files/0x00050000000195a4-412.dat family_berbew behavioral1/files/0x00050000000195a7-421.dat family_berbew behavioral1/files/0x00050000000195a9-435.dat family_berbew behavioral1/files/0x00050000000195ba-444.dat family_berbew behavioral1/files/0x0005000000019646-457.dat family_berbew behavioral1/files/0x000500000001996e-465.dat family_berbew behavioral1/files/0x0005000000019bd7-479.dat family_berbew behavioral1/files/0x0005000000019bef-489.dat family_berbew behavioral1/files/0x0005000000019ce6-500.dat family_berbew behavioral1/files/0x0005000000019d59-512.dat family_berbew behavioral1/files/0x0005000000019f60-523.dat family_berbew behavioral1/files/0x000500000001a013-537.dat family_berbew behavioral1/files/0x000500000001a2d0-547.dat family_berbew behavioral1/files/0x000500000001a3c2-555.dat family_berbew behavioral1/files/0x000500000001a3c8-567.dat family_berbew behavioral1/files/0x000500000001a3d4-577.dat family_berbew behavioral1/files/0x000500000001a429-587.dat family_berbew behavioral1/files/0x000500000001a431-599.dat family_berbew behavioral1/files/0x000500000001a43b-611.dat family_berbew behavioral1/files/0x000500000001a443-622.dat family_berbew behavioral1/files/0x000500000001a447-631.dat family_berbew behavioral1/files/0x000500000001a44b-642.dat family_berbew behavioral1/files/0x000500000001a44f-651.dat family_berbew behavioral1/files/0x000500000001a453-661.dat family_berbew behavioral1/files/0x000500000001a457-669.dat family_berbew behavioral1/files/0x000500000001a45b-679.dat family_berbew behavioral1/files/0x000500000001a45f-690.dat family_berbew behavioral1/files/0x000500000001a463-702.dat family_berbew behavioral1/files/0x000500000001a467-710.dat family_berbew behavioral1/files/0x000500000001a46c-720.dat family_berbew behavioral1/files/0x000500000001a470-730.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2032 Pqnlhpfb.exe 2640 Qinjgbpg.exe 2644 Aibcba32.exe 2664 Agjmim32.exe 2424 Aennba32.exe 436 Bepjha32.exe 1600 Bfccei32.exe 2768 Clgbno32.exe 1052 Ckahkk32.exe 1308 Ckcepj32.exe 2332 Diphbfdi.exe 2716 Egjbdo32.exe 1660 Ehjona32.exe 528 Foojop32.exe 3032 Fkejcq32.exe 3048 Fgadda32.exe 1444 Gjfgqk32.exe 1644 Iaeegh32.exe 1812 Idfnicfl.exe 608 Ilabmedg.exe 1764 Jdaqmg32.exe 1240 Jpjngh32.exe 848 Jjbbpmgo.exe 2612 Kcopdb32.exe 1560 Klhemhpk.exe 2576 Kdhcli32.exe 3008 Lomgjb32.exe 2448 Lmgalkcf.exe 2476 Lfpeeqig.exe 1164 Ljnnko32.exe 1264 Mfdopp32.exe 2348 Mchoid32.exe 2832 Mkddnf32.exe 1992 Mndmoaog.exe 1848 Mgmahg32.exe 1296 Mnifja32.exe 864 Ncfoch32.exe 2080 Ndhlhg32.exe 1648 Nmqpam32.exe 2104 Nmcmgm32.exe 3056 Nfkapb32.exe 2872 Nbbbdcgi.exe 1968 Olkfmi32.exe 1852 Okpcoe32.exe 1416 Oeehln32.exe 1940 Odjdmjgo.exe 320 Oopijc32.exe 2892 Oijjka32.exe 1724 Pkifdd32.exe 2016 Pnjofo32.exe 2980 Pgbdodnh.exe 3004 Pciddedl.exe 2532 Plaimk32.exe 2604 Qkffng32.exe 2468 Qfljkp32.exe 2696 Qdaglmcb.exe 1608 Bcpgdhpp.exe 636 Bfqpecma.exe 2772 Bnldjekl.exe 2672 Behilopf.exe 3028 Cnckjddd.exe 2484 Ccpcckck.exe 1428 Cmhglq32.exe 1736 Clmdmm32.exe -
Loads dropped DLL 64 IoCs
pid Process 1284 3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe 1284 3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe 2032 Pqnlhpfb.exe 2032 Pqnlhpfb.exe 2640 Qinjgbpg.exe 2640 Qinjgbpg.exe 2644 Aibcba32.exe 2644 Aibcba32.exe 2664 Agjmim32.exe 2664 Agjmim32.exe 2424 Aennba32.exe 2424 Aennba32.exe 436 Bepjha32.exe 436 Bepjha32.exe 1600 Bfccei32.exe 1600 Bfccei32.exe 2768 Clgbno32.exe 2768 Clgbno32.exe 1052 Ckahkk32.exe 1052 Ckahkk32.exe 1308 Ckcepj32.exe 1308 Ckcepj32.exe 2332 Diphbfdi.exe 2332 Diphbfdi.exe 2716 Egjbdo32.exe 2716 Egjbdo32.exe 1660 Ehjona32.exe 1660 Ehjona32.exe 528 Foojop32.exe 528 Foojop32.exe 3032 Fkejcq32.exe 3032 Fkejcq32.exe 3048 Fgadda32.exe 3048 Fgadda32.exe 1444 Gjfgqk32.exe 1444 Gjfgqk32.exe 1644 Iaeegh32.exe 1644 Iaeegh32.exe 1812 Idfnicfl.exe 1812 Idfnicfl.exe 608 Ilabmedg.exe 608 Ilabmedg.exe 1764 Jdaqmg32.exe 1764 Jdaqmg32.exe 1240 Jpjngh32.exe 1240 Jpjngh32.exe 848 Jjbbpmgo.exe 848 Jjbbpmgo.exe 2612 Kcopdb32.exe 2612 Kcopdb32.exe 1560 Klhemhpk.exe 1560 Klhemhpk.exe 2576 Kdhcli32.exe 2576 Kdhcli32.exe 3008 Lomgjb32.exe 3008 Lomgjb32.exe 2448 Lmgalkcf.exe 2448 Lmgalkcf.exe 2476 Lfpeeqig.exe 2476 Lfpeeqig.exe 1164 Ljnnko32.exe 1164 Ljnnko32.exe 1264 Mfdopp32.exe 1264 Mfdopp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nmqpam32.exe Ndhlhg32.exe File opened for modification C:\Windows\SysWOW64\Flfpabkp.exe Fkecij32.exe File created C:\Windows\SysWOW64\Fjigapme.dll Ofgbkacb.exe File opened for modification C:\Windows\SysWOW64\Qkielpdf.exe Qobdgo32.exe File created C:\Windows\SysWOW64\Bceeqi32.exe Bknmok32.exe File opened for modification C:\Windows\SysWOW64\Jqpebg32.exe Jkcmjpma.exe File opened for modification C:\Windows\SysWOW64\Imjkpb32.exe Icafgmbe.exe File created C:\Windows\SysWOW64\Ffcnqe32.dll Dqfabdaf.exe File created C:\Windows\SysWOW64\Emgdmc32.exe Epcddopf.exe File created C:\Windows\SysWOW64\Qbkalpla.dll Ebqngb32.exe File created C:\Windows\SysWOW64\Cbdiia32.exe Cepipm32.exe File opened for modification C:\Windows\SysWOW64\Ecmjid32.exe Ejdfqogm.exe File created C:\Windows\SysWOW64\Admgglep.exe Alaccj32.exe File created C:\Windows\SysWOW64\Fbflbd32.dll Bacefpbg.exe File created C:\Windows\SysWOW64\Jofial32.dll Ljnqdhga.exe File created C:\Windows\SysWOW64\Idqcamnn.dll Mghckj32.exe File created C:\Windows\SysWOW64\Ejcofica.exe Dklepmal.exe File created C:\Windows\SysWOW64\Fbbnekdd.dll Qiioon32.exe File created C:\Windows\SysWOW64\Hieiqo32.exe Hnpdcf32.exe File opened for modification C:\Windows\SysWOW64\Icbipe32.exe Ijidfpci.exe File created C:\Windows\SysWOW64\Djmiejji.exe Dhklna32.exe File created C:\Windows\SysWOW64\Hgeckn32.dll Nommodjj.exe File opened for modification C:\Windows\SysWOW64\Abbhje32.exe Qfkgdd32.exe File opened for modification C:\Windows\SysWOW64\Ckiiiine.exe Ciglaa32.exe File created C:\Windows\SysWOW64\Faffik32.dll Bdfooh32.exe File created C:\Windows\SysWOW64\Peqiahfi.dll Dhklna32.exe File created C:\Windows\SysWOW64\Glpgibbn.exe Gefolhja.exe File created C:\Windows\SysWOW64\Jmogjn32.dll Iocioq32.exe File created C:\Windows\SysWOW64\Idfnicfl.exe Iaeegh32.exe File created C:\Windows\SysWOW64\Mmjomogn.exe Laaabo32.exe File created C:\Windows\SysWOW64\Okhdnm32.dll Ohncbdbd.exe File opened for modification C:\Windows\SysWOW64\Njeelc32.exe Nopaoj32.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jkchmo32.exe File opened for modification C:\Windows\SysWOW64\Moeeelhn.exe Mfmqmgbm.exe File opened for modification C:\Windows\SysWOW64\Bjpdhifk.exe Bkkgfm32.exe File created C:\Windows\SysWOW64\Nqfilgbn.dll Jcfgoadd.exe File opened for modification C:\Windows\SysWOW64\Nnahgh32.exe Nhepoaif.exe File opened for modification C:\Windows\SysWOW64\Dbadagln.exe Ddmchcnd.exe File opened for modification C:\Windows\SysWOW64\Mdoccg32.exe Malmllfb.exe File opened for modification C:\Windows\SysWOW64\Qinjgbpg.exe Pqnlhpfb.exe File opened for modification C:\Windows\SysWOW64\Aoaill32.exe Ahhaobfe.exe File created C:\Windows\SysWOW64\Camnge32.exe Bggjjlnb.exe File opened for modification C:\Windows\SysWOW64\Pnfpjc32.exe Pmecbkgj.exe File created C:\Windows\SysWOW64\Idejihgk.dll Ffaaoh32.exe File opened for modification C:\Windows\SysWOW64\Djdjalea.exe Cqleifna.exe File created C:\Windows\SysWOW64\Ncekdcqn.dll Dmepkn32.exe File opened for modification C:\Windows\SysWOW64\Mkaeob32.exe Maiqfl32.exe File opened for modification C:\Windows\SysWOW64\Ochenfdn.exe Omnmal32.exe File opened for modification C:\Windows\SysWOW64\Mcfemmna.exe Ljnqdhga.exe File opened for modification C:\Windows\SysWOW64\Olkifaen.exe Npdhaq32.exe File opened for modification C:\Windows\SysWOW64\Ibkhak32.exe Idghhf32.exe File opened for modification C:\Windows\SysWOW64\Cgbfcjag.exe Cdcjgnbc.exe File created C:\Windows\SysWOW64\Klhemhpk.exe Kcopdb32.exe File created C:\Windows\SysWOW64\Flqkjo32.exe Fefcmehe.exe File opened for modification C:\Windows\SysWOW64\Hafbghhj.exe Hadfah32.exe File opened for modification C:\Windows\SysWOW64\Onipqp32.exe Occlcg32.exe File created C:\Windows\SysWOW64\Bkkpkade.dll Dpkibo32.exe File created C:\Windows\SysWOW64\Inngpj32.dll Aphehidc.exe File opened for modification C:\Windows\SysWOW64\Ciepkajj.exe Bopknhjd.exe File created C:\Windows\SysWOW64\Nbfnggeo.exe Mjkibehc.exe File created C:\Windows\SysWOW64\Jkcmjpma.exe Ibkhak32.exe File created C:\Windows\SysWOW64\Fgpcof32.dll Jfmnkn32.exe File opened for modification C:\Windows\SysWOW64\Bopknhjd.exe Bmnofp32.exe File created C:\Windows\SysWOW64\Fbhljb32.dll Bgghac32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iqhfnifq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laimda32.dll" Nbhkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeilp32.dll" Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahadcefi.dll" Deeqch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgqbmgm.dll" Kbpefc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hadfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnoopd32.dll" Jfddkmch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhplbf.dll" Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidqce32.dll" Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejdjfjb.dll" Hlgimqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbmmbaal.dll" Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcclhg32.dll" Oopijc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcopp32.dll" Bepjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmgfhhe.dll" Ckcepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogliemkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olemefec.dll" Occlcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Indnnfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll" Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobakc32.dll" Hnpdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghijlbj.dll" Mkaeob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipknhkd.dll" Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhigm32.dll" Bnldjekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djdjalea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahngomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpkq32.dll" Qpaohjkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkpkade.dll" Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faffik32.dll" Bdfooh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmmbqegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfomeb32.dll" Feachqgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akadpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmpebb32.dll" Kenjgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idbnmgll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpcof32.dll" Jfmnkn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1284 wrote to memory of 2032 1284 3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2032 1284 3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2032 1284 3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2032 1284 3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe 28 PID 2032 wrote to memory of 2640 2032 Pqnlhpfb.exe 29 PID 2032 wrote to memory of 2640 2032 Pqnlhpfb.exe 29 PID 2032 wrote to memory of 2640 2032 Pqnlhpfb.exe 29 PID 2032 wrote to memory of 2640 2032 Pqnlhpfb.exe 29 PID 2640 wrote to memory of 2644 2640 Qinjgbpg.exe 30 PID 2640 wrote to memory of 2644 2640 Qinjgbpg.exe 30 PID 2640 wrote to memory of 2644 2640 Qinjgbpg.exe 30 PID 2640 wrote to memory of 2644 2640 Qinjgbpg.exe 30 PID 2644 wrote to memory of 2664 2644 Aibcba32.exe 31 PID 2644 wrote to memory of 2664 2644 Aibcba32.exe 31 PID 2644 wrote to memory of 2664 2644 Aibcba32.exe 31 PID 2644 wrote to memory of 2664 2644 Aibcba32.exe 31 PID 2664 wrote to memory of 2424 2664 Agjmim32.exe 32 PID 2664 wrote to memory of 2424 2664 Agjmim32.exe 32 PID 2664 wrote to memory of 2424 2664 Agjmim32.exe 32 PID 2664 wrote to memory of 2424 2664 Agjmim32.exe 32 PID 2424 wrote to memory of 436 2424 Aennba32.exe 33 PID 2424 wrote to memory of 436 2424 Aennba32.exe 33 PID 2424 wrote to memory of 436 2424 Aennba32.exe 33 PID 2424 wrote to memory of 436 2424 Aennba32.exe 33 PID 436 wrote to memory of 1600 436 Bepjha32.exe 34 PID 436 wrote to memory of 1600 436 Bepjha32.exe 34 PID 436 wrote to memory of 1600 436 Bepjha32.exe 34 PID 436 wrote to memory of 1600 436 Bepjha32.exe 34 PID 1600 wrote to memory of 2768 1600 Bfccei32.exe 35 PID 1600 wrote to memory of 2768 1600 Bfccei32.exe 35 PID 1600 wrote to memory of 2768 1600 Bfccei32.exe 35 PID 1600 wrote to memory of 2768 1600 Bfccei32.exe 35 PID 2768 wrote to memory of 1052 2768 Clgbno32.exe 36 PID 2768 wrote to memory of 1052 2768 Clgbno32.exe 36 PID 2768 wrote to memory of 1052 2768 Clgbno32.exe 36 PID 2768 wrote to memory of 1052 2768 Clgbno32.exe 36 PID 1052 wrote to memory of 1308 1052 Ckahkk32.exe 37 PID 1052 wrote to memory of 1308 1052 Ckahkk32.exe 37 PID 1052 wrote to memory of 1308 1052 Ckahkk32.exe 37 PID 1052 wrote to memory of 1308 1052 Ckahkk32.exe 37 PID 1308 wrote to memory of 2332 1308 Ckcepj32.exe 38 PID 1308 wrote to memory of 2332 1308 Ckcepj32.exe 38 PID 1308 wrote to memory of 2332 1308 Ckcepj32.exe 38 PID 1308 wrote to memory of 2332 1308 Ckcepj32.exe 38 PID 2332 wrote to memory of 2716 2332 Diphbfdi.exe 39 PID 2332 wrote to memory of 2716 2332 Diphbfdi.exe 39 PID 2332 wrote to memory of 2716 2332 Diphbfdi.exe 39 PID 2332 wrote to memory of 2716 2332 Diphbfdi.exe 39 PID 2716 wrote to memory of 1660 2716 Egjbdo32.exe 40 PID 2716 wrote to memory of 1660 2716 Egjbdo32.exe 40 PID 2716 wrote to memory of 1660 2716 Egjbdo32.exe 40 PID 2716 wrote to memory of 1660 2716 Egjbdo32.exe 40 PID 1660 wrote to memory of 528 1660 Ehjona32.exe 41 PID 1660 wrote to memory of 528 1660 Ehjona32.exe 41 PID 1660 wrote to memory of 528 1660 Ehjona32.exe 41 PID 1660 wrote to memory of 528 1660 Ehjona32.exe 41 PID 528 wrote to memory of 3032 528 Foojop32.exe 42 PID 528 wrote to memory of 3032 528 Foojop32.exe 42 PID 528 wrote to memory of 3032 528 Foojop32.exe 42 PID 528 wrote to memory of 3032 528 Foojop32.exe 42 PID 3032 wrote to memory of 3048 3032 Fkejcq32.exe 43 PID 3032 wrote to memory of 3048 3032 Fkejcq32.exe 43 PID 3032 wrote to memory of 3048 3032 Fkejcq32.exe 43 PID 3032 wrote to memory of 3048 3032 Fkejcq32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e62ac6a2b0fd42de69fbe3133291af0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe33⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe34⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe36⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe37⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe38⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe40⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe41⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe42⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe43⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe44⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe45⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe46⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe47⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe49⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe50⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe51⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe52⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe53⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe55⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe56⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe58⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe59⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe62⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe64⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe65⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe66⤵PID:1664
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe67⤵PID:2860
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe68⤵PID:2084
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe69⤵PID:3068
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:960 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe71⤵PID:1440
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe72⤵PID:2200
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe73⤵PID:560
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe75⤵PID:1748
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe76⤵PID:2356
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe78⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe79⤵PID:2212
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe80⤵PID:2656
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe81⤵PID:1096
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe82⤵PID:2408
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe83⤵PID:2784
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe84⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe85⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe86⤵PID:2700
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe87⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe88⤵PID:1784
-
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe89⤵PID:2868
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe90⤵PID:3044
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe91⤵PID:2172
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe92⤵PID:1384
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe93⤵PID:1088
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe94⤵PID:1268
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe96⤵PID:2836
-
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe97⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe98⤵PID:2432
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe99⤵PID:2436
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe100⤵PID:2588
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe101⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe102⤵PID:812
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe103⤵PID:944
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe107⤵PID:652
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe108⤵PID:2904
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe109⤵PID:1756
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe110⤵PID:1204
-
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe111⤵PID:900
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe112⤵PID:1568
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe113⤵PID:2572
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe114⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe115⤵PID:1616
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe116⤵
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe117⤵PID:1676
-
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe118⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe119⤵PID:2900
-
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe120⤵PID:676
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe121⤵PID:2040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-