Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 12:50
Behavioral task
behavioral1
Sample
d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe
-
Size
1000KB
-
MD5
d2d437472720ba866400921321e84cd0
-
SHA1
fb0db15a09363f189745251aa9b399b2b2afd5ed
-
SHA256
456533ad9a2b140c9a8eeba0f56668f0f7d53da9a2f38bc74eb999c1e1a7e173
-
SHA512
3a907b326f3dc478b2967c6ba21c8789dbb5a4dd92728856ffb4a05236b2f20187bd7e2172793513aaecae35fbc4da73e1f3275cc94962236e157f57f100c270
-
SSDEEP
6144:r+GneiyxDHBFLqWjjgwTgZLnSnLrTSxJ2JrYXklSu9lIhBBJKQh31GTYUCIIYyy8:aJtHBFLPj3TmLnWrOxNuxC97hFq9o7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaeegh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgoapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeegh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjbbkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjifodii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kalipcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihbqdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnklcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aababceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iigpli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebgclm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehhmkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgpiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbqdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfaldbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnkion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nianhplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkljdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acekjjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giahhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbfkmeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhlddkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjkjle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amqccfed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqqpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edibhmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojhejbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjnan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmkncofl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhdaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001269e-5.dat family_berbew behavioral1/files/0x0008000000015ca6-21.dat family_berbew behavioral1/files/0x0007000000015ce1-32.dat family_berbew behavioral1/files/0x0007000000015d07-47.dat family_berbew behavioral1/files/0x003800000001567f-60.dat family_berbew behavioral1/files/0x000600000001630b-75.dat family_berbew behavioral1/files/0x0006000000016572-89.dat family_berbew behavioral1/files/0x0006000000016843-103.dat family_berbew behavioral1/files/0x0006000000016c4a-123.dat family_berbew behavioral1/files/0x0006000000016c6b-130.dat family_berbew behavioral1/files/0x0006000000016ce4-144.dat family_berbew behavioral1/files/0x0006000000016d1e-158.dat family_berbew behavioral1/files/0x0006000000016d3a-171.dat family_berbew behavioral1/files/0x0006000000016d90-189.dat family_berbew behavioral1/files/0x0006000000016dbb-208.dat family_berbew behavioral1/files/0x0006000000016e94-215.dat family_berbew behavioral1/files/0x0006000000017052-230.dat family_berbew behavioral1/files/0x00060000000173d8-240.dat family_berbew behavioral1/files/0x0006000000017456-248.dat family_berbew behavioral1/files/0x000600000001747d-257.dat family_berbew behavioral1/files/0x0006000000017556-266.dat family_berbew behavioral1/files/0x000500000001866b-276.dat family_berbew behavioral1/files/0x0005000000018778-286.dat family_berbew behavioral1/files/0x0006000000018c1a-298.dat family_berbew behavioral1/files/0x0006000000019021-308.dat family_berbew behavioral1/files/0x00050000000191a7-319.dat family_berbew behavioral1/files/0x00050000000191ed-330.dat family_berbew behavioral1/files/0x0005000000019241-351.dat family_berbew behavioral1/memory/2456-343-0x00000000002E0000-0x0000000000316000-memory.dmp family_berbew behavioral1/files/0x000500000001922e-340.dat family_berbew behavioral1/files/0x000500000001924d-363.dat family_berbew behavioral1/memory/2588-365-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/files/0x00050000000192ef-373.dat family_berbew behavioral1/files/0x000500000001934f-384.dat family_berbew behavioral1/files/0x000500000001937b-395.dat family_berbew behavioral1/files/0x0005000000019399-407.dat family_berbew behavioral1/files/0x000500000001941c-418.dat family_berbew behavioral1/files/0x0005000000019431-429.dat family_berbew behavioral1/files/0x0005000000019440-437.dat family_berbew behavioral1/files/0x0005000000019452-449.dat family_berbew behavioral1/memory/1456-456-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/files/0x00050000000194ad-460.dat family_berbew behavioral1/files/0x00050000000194e3-471.dat family_berbew behavioral1/files/0x0005000000019514-483.dat family_berbew behavioral1/memory/1440-480-0x0000000000320000-0x0000000000356000-memory.dmp family_berbew behavioral1/memory/1440-479-0x0000000000320000-0x0000000000356000-memory.dmp family_berbew behavioral1/files/0x000500000001961a-493.dat family_berbew behavioral1/files/0x0005000000019620-504.dat family_berbew behavioral1/files/0x0005000000019a48-516.dat family_berbew behavioral1/files/0x0005000000019ae5-527.dat family_berbew behavioral1/files/0x0005000000019c5a-537.dat family_berbew behavioral1/files/0x0005000000019c93-548.dat family_berbew behavioral1/files/0x0005000000019f2d-559.dat family_berbew behavioral1/files/0x000500000001a03f-570.dat family_berbew behavioral1/files/0x000500000001a080-582.dat family_berbew behavioral1/files/0x000500000001a304-592.dat family_berbew behavioral1/files/0x000500000001a415-605.dat family_berbew behavioral1/files/0x000500000001a418-617.dat family_berbew behavioral1/files/0x000500000001a446-630.dat family_berbew behavioral1/files/0x000500000001a46b-640.dat family_berbew behavioral1/files/0x000500000001a47b-655.dat family_berbew behavioral1/files/0x000500000001a496-666.dat family_berbew behavioral1/files/0x000500000001a499-678.dat family_berbew behavioral1/files/0x000500000001a49c-690.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1996 Egdilkbf.exe 2060 Fcmgfkeg.exe 2528 Fioija32.exe 2396 Gpmjak32.exe 2372 Gmgdddmq.exe 2908 Hicodd32.exe 2716 Hejoiedd.exe 2780 Inljnfkg.exe 828 Igdogl32.exe 1540 Jgnamk32.exe 2660 Jicgpb32.exe 1112 Kneicieh.exe 1344 Kngfih32.exe 2936 Kjqccigf.exe 1568 Llfifq32.exe 584 Mdkqqa32.exe 1468 Meagci32.exe 428 Mgqcmlgl.exe 2044 Mlmlecec.exe 2200 Nhdlkdkg.exe 1276 Namqci32.exe 380 Ndmjedoi.exe 2108 Nkgbbo32.exe 1640 Npfgpe32.exe 1716 Nceclqan.exe 1552 Onjgiiad.exe 2456 Onmdoioa.exe 2564 Oqmmpd32.exe 2588 Obojhlbq.exe 1652 Okikfagn.exe 2676 Ooeggp32.exe 2536 Pnjdhmdo.exe 2368 Pkndaa32.exe 2748 Pjcabmga.exe 2616 Pmanoifd.exe 1356 Pgioaa32.exe 1456 Pjhknm32.exe 2432 Qabcjgkh.exe 1440 Qcbllb32.exe 1008 Aibajhdn.exe 1236 Aplifb32.exe 2928 Aekodi32.exe 2944 Alegac32.exe 2008 Aaaoij32.exe 1732 Amhpnkch.exe 3000 Bjlqhoba.exe 1280 Bpiipf32.exe 980 Bfenbpec.exe 1584 Bidjnkdg.exe 1524 Bldcpf32.exe 2844 Bbokmqie.exe 1660 Bhkdeggl.exe 1672 Cadhnmnm.exe 2964 Clilkfnb.exe 1988 Ceaadk32.exe 2288 Cojema32.exe 2540 Cpkbdiqb.exe 2448 Cnobnmpl.exe 2268 Cghggc32.exe 1488 Cnaocmmi.exe 2760 Cdlgpgef.exe 1664 Dgjclbdi.exe 2620 Dndlim32.exe 792 Dbfabp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2872 d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe 2872 d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe 1996 Egdilkbf.exe 1996 Egdilkbf.exe 2060 Fcmgfkeg.exe 2060 Fcmgfkeg.exe 2528 Fioija32.exe 2528 Fioija32.exe 2396 Gpmjak32.exe 2396 Gpmjak32.exe 2372 Gmgdddmq.exe 2372 Gmgdddmq.exe 2908 Hicodd32.exe 2908 Hicodd32.exe 2716 Hejoiedd.exe 2716 Hejoiedd.exe 2780 Inljnfkg.exe 2780 Inljnfkg.exe 828 Igdogl32.exe 828 Igdogl32.exe 1540 Jgnamk32.exe 1540 Jgnamk32.exe 2660 Jicgpb32.exe 2660 Jicgpb32.exe 1112 Kneicieh.exe 1112 Kneicieh.exe 1344 Kngfih32.exe 1344 Kngfih32.exe 2936 Kjqccigf.exe 2936 Kjqccigf.exe 1568 Llfifq32.exe 1568 Llfifq32.exe 584 Mdkqqa32.exe 584 Mdkqqa32.exe 1468 Meagci32.exe 1468 Meagci32.exe 428 Mgqcmlgl.exe 428 Mgqcmlgl.exe 2044 Mlmlecec.exe 2044 Mlmlecec.exe 2200 Nhdlkdkg.exe 2200 Nhdlkdkg.exe 1276 Namqci32.exe 1276 Namqci32.exe 380 Ndmjedoi.exe 380 Ndmjedoi.exe 2108 Nkgbbo32.exe 2108 Nkgbbo32.exe 1640 Npfgpe32.exe 1640 Npfgpe32.exe 1716 Nceclqan.exe 1716 Nceclqan.exe 1552 Onjgiiad.exe 1552 Onjgiiad.exe 2456 Onmdoioa.exe 2456 Onmdoioa.exe 2564 Oqmmpd32.exe 2564 Oqmmpd32.exe 2588 Obojhlbq.exe 2588 Obojhlbq.exe 1652 Okikfagn.exe 1652 Okikfagn.exe 2676 Ooeggp32.exe 2676 Ooeggp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Onnnml32.exe Ojbbmnhc.exe File created C:\Windows\SysWOW64\Difqji32.exe Process not Found File created C:\Windows\SysWOW64\Ncmfqkdj.exe Npojdpef.exe File created C:\Windows\SysWOW64\Oackeakj.dll Nhllob32.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Cehfkb32.exe File created C:\Windows\SysWOW64\Hjbklf32.dll Nfdddm32.exe File created C:\Windows\SysWOW64\Ccnifd32.exe Process not Found File created C:\Windows\SysWOW64\Oqacic32.exe Onbgmg32.exe File created C:\Windows\SysWOW64\Qogbdl32.exe Qqdbiopj.exe File opened for modification C:\Windows\SysWOW64\Hcojam32.exe Hnbaif32.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Njbfnjeg.exe File opened for modification C:\Windows\SysWOW64\Cmkfji32.exe Process not Found File created C:\Windows\SysWOW64\Lmgalkcf.exe Lcomce32.exe File created C:\Windows\SysWOW64\Lqhfhigj.exe Liqoflfh.exe File opened for modification C:\Windows\SysWOW64\Ekdchf32.exe Eheglk32.exe File created C:\Windows\SysWOW64\Lmnnpb32.dll Eipgjaoi.exe File opened for modification C:\Windows\SysWOW64\Gebbnpfp.exe Gepehphc.exe File opened for modification C:\Windows\SysWOW64\Hojgfemq.exe Gebbnpfp.exe File opened for modification C:\Windows\SysWOW64\Cohkpj32.exe Cljodo32.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jlkngc32.exe File created C:\Windows\SysWOW64\Ajcipc32.exe Agdmdg32.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Hdffnl32.dll Lihobnap.exe File created C:\Windows\SysWOW64\Dfmcfjpo.dll Agdmdg32.exe File opened for modification C:\Windows\SysWOW64\Mikjpiim.exe Mjhjdm32.exe File created C:\Windows\SysWOW64\Fofbhgde.exe Flhflleb.exe File created C:\Windows\SysWOW64\Jmaebf32.dll Joggci32.exe File opened for modification C:\Windows\SysWOW64\Nmkncofl.exe Mbeiefff.exe File opened for modification C:\Windows\SysWOW64\Chlfnp32.exe Ciifbchf.exe File created C:\Windows\SysWOW64\Hibjbgbh.exe Halbai32.exe File created C:\Windows\SysWOW64\Ljkaeo32.exe Lgmeid32.exe File created C:\Windows\SysWOW64\Ipomlm32.exe Imaapa32.exe File opened for modification C:\Windows\SysWOW64\Inmmbc32.exe Process not Found File created C:\Windows\SysWOW64\Bekmle32.exe Bfhmqhkd.exe File created C:\Windows\SysWOW64\Naffihgj.dll Dbafjlaa.exe File created C:\Windows\SysWOW64\Lhlchh32.dll Cblfdg32.exe File created C:\Windows\SysWOW64\Opihgfop.exe Oadkej32.exe File opened for modification C:\Windows\SysWOW64\Nihcog32.exe Nnnbni32.exe File created C:\Windows\SysWOW64\Cmjbhh32.exe Cinfhigl.exe File opened for modification C:\Windows\SysWOW64\Afdgfelo.exe Abhkfg32.exe File opened for modification C:\Windows\SysWOW64\Lcomce32.exe Lqqpgj32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Hfjnla32.exe Hppfog32.exe File created C:\Windows\SysWOW64\Eamilh32.exe Degiggjm.exe File created C:\Windows\SysWOW64\Canhhi32.dll Process not Found File created C:\Windows\SysWOW64\Ecdjal32.dll Dndlim32.exe File created C:\Windows\SysWOW64\Jnffgd32.exe Ikhjki32.exe File opened for modification C:\Windows\SysWOW64\Qjkjle32.exe Qglmpi32.exe File created C:\Windows\SysWOW64\Jkhgfq32.dll Dolnad32.exe File created C:\Windows\SysWOW64\Dnlcjk32.dll Iaegpaao.exe File created C:\Windows\SysWOW64\Hfijlo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cheido32.exe Cpnaca32.exe File created C:\Windows\SysWOW64\Popeif32.exe Plaimk32.exe File created C:\Windows\SysWOW64\Illbhp32.exe Iafnjg32.exe File created C:\Windows\SysWOW64\Caifjn32.exe Cjonncab.exe File created C:\Windows\SysWOW64\Ecpjfq32.exe Eqamje32.exe File opened for modification C:\Windows\SysWOW64\Dchmkkkj.exe Dkadjn32.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mjhjdm32.exe File created C:\Windows\SysWOW64\Elemhgkf.dll Dllhhaep.exe File created C:\Windows\SysWOW64\Gjdjklek.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Jlpeij32.exe Jhdihkcj.exe File opened for modification C:\Windows\SysWOW64\Degiggjm.exe Dakmfh32.exe File opened for modification C:\Windows\SysWOW64\Qobdgo32.exe Process not Found File created C:\Windows\SysWOW64\Helgmg32.exe Hapklimq.exe -
Program crash 1 IoCs
pid pid_target Process 5240 6024 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajbggjfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lahmbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mblbnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkaiqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hifmbmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nallalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohodj32.dll" Gfgegnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll" Mimgeigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijnbcmkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necfoajd.dll" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elhnof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjjnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekpheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maapdeaa.dll" Ihbqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popoig32.dll" Leammn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehkhaqpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdmhbplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifigco32.dll" Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emgbff32.dll" Glgjednf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njdqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdiogq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phqmgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmqmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll" Pdlkiepd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glpdde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eegkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmhnp32.dll" Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknaqdia.dll" Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcglec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klfjpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgdjk32.dll" Egokonjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komnbg32.dll" Ljkaeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnbaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opilhdhd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpelaf32.dll" Edaalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkoplhip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglmnmlc.dll" Dbojdmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnndbd32.dll" Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pdakniag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiilami.dll" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcibkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaeegh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1996 2872 d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 1996 2872 d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 1996 2872 d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 1996 2872 d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe 28 PID 1996 wrote to memory of 2060 1996 Egdilkbf.exe 29 PID 1996 wrote to memory of 2060 1996 Egdilkbf.exe 29 PID 1996 wrote to memory of 2060 1996 Egdilkbf.exe 29 PID 1996 wrote to memory of 2060 1996 Egdilkbf.exe 29 PID 2060 wrote to memory of 2528 2060 Fcmgfkeg.exe 30 PID 2060 wrote to memory of 2528 2060 Fcmgfkeg.exe 30 PID 2060 wrote to memory of 2528 2060 Fcmgfkeg.exe 30 PID 2060 wrote to memory of 2528 2060 Fcmgfkeg.exe 30 PID 2528 wrote to memory of 2396 2528 Fioija32.exe 31 PID 2528 wrote to memory of 2396 2528 Fioija32.exe 31 PID 2528 wrote to memory of 2396 2528 Fioija32.exe 31 PID 2528 wrote to memory of 2396 2528 Fioija32.exe 31 PID 2396 wrote to memory of 2372 2396 Gpmjak32.exe 32 PID 2396 wrote to memory of 2372 2396 Gpmjak32.exe 32 PID 2396 wrote to memory of 2372 2396 Gpmjak32.exe 32 PID 2396 wrote to memory of 2372 2396 Gpmjak32.exe 32 PID 2372 wrote to memory of 2908 2372 Gmgdddmq.exe 33 PID 2372 wrote to memory of 2908 2372 Gmgdddmq.exe 33 PID 2372 wrote to memory of 2908 2372 Gmgdddmq.exe 33 PID 2372 wrote to memory of 2908 2372 Gmgdddmq.exe 33 PID 2908 wrote to memory of 2716 2908 Hicodd32.exe 34 PID 2908 wrote to memory of 2716 2908 Hicodd32.exe 34 PID 2908 wrote to memory of 2716 2908 Hicodd32.exe 34 PID 2908 wrote to memory of 2716 2908 Hicodd32.exe 34 PID 2716 wrote to memory of 2780 2716 Hejoiedd.exe 35 PID 2716 wrote to memory of 2780 2716 Hejoiedd.exe 35 PID 2716 wrote to memory of 2780 2716 Hejoiedd.exe 35 PID 2716 wrote to memory of 2780 2716 Hejoiedd.exe 35 PID 2780 wrote to memory of 828 2780 Inljnfkg.exe 36 PID 2780 wrote to memory of 828 2780 Inljnfkg.exe 36 PID 2780 wrote to memory of 828 2780 Inljnfkg.exe 36 PID 2780 wrote to memory of 828 2780 Inljnfkg.exe 36 PID 828 wrote to memory of 1540 828 Igdogl32.exe 37 PID 828 wrote to memory of 1540 828 Igdogl32.exe 37 PID 828 wrote to memory of 1540 828 Igdogl32.exe 37 PID 828 wrote to memory of 1540 828 Igdogl32.exe 37 PID 1540 wrote to memory of 2660 1540 Jgnamk32.exe 38 PID 1540 wrote to memory of 2660 1540 Jgnamk32.exe 38 PID 1540 wrote to memory of 2660 1540 Jgnamk32.exe 38 PID 1540 wrote to memory of 2660 1540 Jgnamk32.exe 38 PID 2660 wrote to memory of 1112 2660 Jicgpb32.exe 39 PID 2660 wrote to memory of 1112 2660 Jicgpb32.exe 39 PID 2660 wrote to memory of 1112 2660 Jicgpb32.exe 39 PID 2660 wrote to memory of 1112 2660 Jicgpb32.exe 39 PID 1112 wrote to memory of 1344 1112 Kneicieh.exe 40 PID 1112 wrote to memory of 1344 1112 Kneicieh.exe 40 PID 1112 wrote to memory of 1344 1112 Kneicieh.exe 40 PID 1112 wrote to memory of 1344 1112 Kneicieh.exe 40 PID 1344 wrote to memory of 2936 1344 Kngfih32.exe 41 PID 1344 wrote to memory of 2936 1344 Kngfih32.exe 41 PID 1344 wrote to memory of 2936 1344 Kngfih32.exe 41 PID 1344 wrote to memory of 2936 1344 Kngfih32.exe 41 PID 2936 wrote to memory of 1568 2936 Kjqccigf.exe 42 PID 2936 wrote to memory of 1568 2936 Kjqccigf.exe 42 PID 2936 wrote to memory of 1568 2936 Kjqccigf.exe 42 PID 2936 wrote to memory of 1568 2936 Kjqccigf.exe 42 PID 1568 wrote to memory of 584 1568 Llfifq32.exe 43 PID 1568 wrote to memory of 584 1568 Llfifq32.exe 43 PID 1568 wrote to memory of 584 1568 Llfifq32.exe 43 PID 1568 wrote to memory of 584 1568 Llfifq32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d2d437472720ba866400921321e84cd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:428 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe33⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe34⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe35⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe36⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe38⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe39⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe40⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe41⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe42⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe43⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe44⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe45⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe46⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe47⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe48⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe50⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe51⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe52⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe53⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe54⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe55⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe56⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe57⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe58⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe59⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe60⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe61⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe62⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe63⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe65⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe66⤵PID:2952
-
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe67⤵PID:1948
-
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe68⤵PID:2100
-
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe69⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe70⤵PID:2000
-
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe71⤵PID:856
-
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe72⤵PID:872
-
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe73⤵PID:1436
-
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe74⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe75⤵PID:3004
-
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe76⤵PID:2028
-
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe77⤵PID:1544
-
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe78⤵PID:2580
-
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe79⤵PID:2640
-
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe80⤵PID:2492
-
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe81⤵PID:112
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe82⤵PID:1656
-
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe83⤵PID:624
-
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe84⤵PID:488
-
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe85⤵PID:2864
-
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe86⤵PID:1416
-
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe87⤵PID:2904
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe88⤵PID:1972
-
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe89⤵PID:2252
-
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:608 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe91⤵PID:1740
-
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe92⤵PID:2284
-
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe93⤵PID:2584
-
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe94⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe96⤵PID:2728
-
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe97⤵PID:1472
-
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe98⤵PID:1924
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe99⤵PID:2756
-
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe101⤵PID:2260
-
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe102⤵PID:2084
-
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe103⤵PID:948
-
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe104⤵PID:320
-
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe105⤵PID:1412
-
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe106⤵PID:884
-
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe107⤵PID:1956
-
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe108⤵PID:2428
-
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe109⤵PID:2388
-
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe110⤵PID:2744
-
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe111⤵PID:760
-
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe112⤵PID:324
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe113⤵PID:592
-
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe115⤵PID:928
-
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe116⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe117⤵PID:2208
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe118⤵PID:3020
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe119⤵PID:1880
-
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe120⤵PID:2112
-
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-