Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 00:07
Behavioral task
behavioral1
Sample
5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
-
Size
125KB
-
MD5
5d2f65b844213aa26a92e1e498b1e190
-
SHA1
5dc48ed340eaeefacc97fce386cc8d77515e62cf
-
SHA256
98559176c0e611fa4c8b93b134dd97820b29051df567f15805256266814524c2
-
SHA512
b77a6aea7d21bae021d778457b21d7029aa90e0f43b118b61d6a56375a0d8edfd31142786eb73b12ab1f000090fe9df9cc1eb31e2f7e448fa97fe4576a2da2a7
-
SSDEEP
3072:0sX8LIjaC82lBdGKcSZpTt4Haz5cM1WdTCn93OGey/ZhJakrPF:QLnngnHpTt4Haz5cjTCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eplmflde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbadjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalkih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkknac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmlqimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpdnlgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbiijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnjagdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkalcdao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlchfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmpgjbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmcdkbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjeejep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnbbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmfhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcfdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbfggdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpdmfff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maldfbjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnogfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmkjgfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfopdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eehndm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeghng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafahdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edpoeoea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgqhgjbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2244-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0009000000015c5d-5.dat family_berbew behavioral1/memory/2244-6-0x00000000003B0000-0x00000000003F7000-memory.dmp family_berbew behavioral1/memory/2244-13-0x00000000003B0000-0x00000000003F7000-memory.dmp family_berbew behavioral1/files/0x0027000000015d88-19.dat family_berbew behavioral1/memory/2604-40-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2992-39-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0007000000015e6f-38.dat family_berbew behavioral1/files/0x0009000000015ec0-46.dat family_berbew behavioral1/memory/2556-53-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000018b42-59.dat family_berbew behavioral1/memory/2416-66-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000018b6a-72.dat family_berbew behavioral1/memory/2388-79-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0016000000015db4-85.dat family_berbew behavioral1/memory/2996-93-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000018d06-99.dat family_berbew behavioral1/memory/2372-107-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000192f4-113.dat family_berbew behavioral1/memory/2372-115-0x0000000000270000-0x00000000002B7000-memory.dmp family_berbew behavioral1/memory/2156-121-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0005000000019333-127.dat family_berbew behavioral1/memory/2156-129-0x0000000000220000-0x0000000000267000-memory.dmp family_berbew behavioral1/memory/2664-142-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0005000000019377-140.dat family_berbew behavioral1/memory/2308-148-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000193b0-154.dat family_berbew behavioral1/memory/2308-156-0x00000000003A0000-0x00000000003E7000-memory.dmp family_berbew behavioral1/memory/1964-162-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001946b-168.dat family_berbew behavioral1/memory/2576-175-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0005000000019473-181.dat family_berbew behavioral1/memory/2576-187-0x0000000000310000-0x0000000000357000-memory.dmp family_berbew behavioral1/memory/1792-189-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000194a4-195.dat family_berbew behavioral1/memory/2080-202-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00040000000194d8-208.dat family_berbew behavioral1/memory/2080-210-0x0000000000220000-0x0000000000267000-memory.dmp family_berbew behavioral1/memory/2108-221-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2108-223-0x0000000000450000-0x0000000000497000-memory.dmp family_berbew behavioral1/files/0x00050000000194e8-224.dat family_berbew behavioral1/memory/2064-227-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2064-233-0x0000000000220000-0x0000000000267000-memory.dmp family_berbew behavioral1/files/0x00050000000194ee-235.dat family_berbew behavioral1/memory/980-238-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000194f2-244.dat family_berbew behavioral1/memory/980-247-0x0000000000220000-0x0000000000267000-memory.dmp family_berbew behavioral1/memory/1080-249-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001950c-257.dat family_berbew behavioral1/memory/1356-262-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0005000000019547-265.dat family_berbew behavioral1/memory/1356-264-0x0000000000450000-0x0000000000497000-memory.dmp family_berbew behavioral1/files/0x000500000001959c-274.dat family_berbew behavioral1/memory/2760-278-0x00000000001B0000-0x00000000001F7000-memory.dmp family_berbew behavioral1/memory/1200-283-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2760-277-0x00000000001B0000-0x00000000001F7000-memory.dmp family_berbew behavioral1/files/0x00050000000195a2-286.dat family_berbew behavioral1/memory/596-294-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000195a6-296.dat family_berbew behavioral1/memory/948-301-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000195a8-308.dat family_berbew behavioral1/memory/948-307-0x0000000000220000-0x0000000000267000-memory.dmp family_berbew behavioral1/memory/944-316-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000195aa-318.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2096 Gbfiaj32.exe 2992 Gmbfggdo.exe 2604 Gjfgqk32.exe 2556 Gcahoqhf.exe 2416 Hnkion32.exe 2388 Halbai32.exe 2996 Hjdfjo32.exe 2372 Helgmg32.exe 2156 Ipehmebh.exe 2664 Iipiljgf.exe 2308 Imnbbi32.exe 1964 Ibmgpoia.exe 2576 Jhlmmfef.exe 1792 Jkmeoa32.exe 2080 Jdejhfig.exe 2108 Jlckbh32.exe 2064 Knbhlkkc.exe 980 Khlili32.exe 1080 Kkmand32.exe 1356 Kdefgj32.exe 2760 Kgfoie32.exe 1200 Lblcfnhj.exe 596 Ldllgiek.exe 948 Lgmeid32.exe 944 Lgoboc32.exe 1940 Mfdopp32.exe 1224 Mchoid32.exe 2052 Mfihkoal.exe 2872 Mpamde32.exe 2700 Mijamjnm.exe 2552 Meabakda.exe 2428 Najpll32.exe 2560 Njbdea32.exe 2424 Nijnln32.exe 1092 Oiljam32.exe 2036 Obdojcef.exe 1856 Omqlpp32.exe 2660 Okdmjdol.exe 1240 Pgnjde32.exe 2016 Pljcllqe.exe 1976 Pomhcg32.exe 308 Pegqpacp.exe 2964 Popeif32.exe 2292 Pdmnam32.exe 2948 Qaqnkafa.exe 3052 Qgmfchei.exe 1156 Qqfkln32.exe 1460 Qhmcmk32.exe 368 Aknlofim.exe 2132 Aciqcifh.exe 2352 Aopahjll.exe 1144 Ajeeeblb.exe 2312 Abpjjeim.exe 1576 Aijbfo32.exe 2716 Bbbgod32.exe 2524 Bkklhjnk.exe 2628 Biolanld.exe 2644 Bnldjekl.exe 2224 Bkpeci32.exe 2820 Bbjmpcab.exe 2320 Bkbaii32.exe 2640 Bejfao32.exe 2348 Cjgoje32.exe 1808 Cpdgbm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2244 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 2244 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 2096 Gbfiaj32.exe 2096 Gbfiaj32.exe 2992 Gmbfggdo.exe 2992 Gmbfggdo.exe 2604 Gjfgqk32.exe 2604 Gjfgqk32.exe 2556 Gcahoqhf.exe 2556 Gcahoqhf.exe 2416 Hnkion32.exe 2416 Hnkion32.exe 2388 Halbai32.exe 2388 Halbai32.exe 2996 Hjdfjo32.exe 2996 Hjdfjo32.exe 2372 Helgmg32.exe 2372 Helgmg32.exe 2156 Ipehmebh.exe 2156 Ipehmebh.exe 2664 Iipiljgf.exe 2664 Iipiljgf.exe 2308 Imnbbi32.exe 2308 Imnbbi32.exe 1964 Ibmgpoia.exe 1964 Ibmgpoia.exe 2576 Jhlmmfef.exe 2576 Jhlmmfef.exe 1792 Jkmeoa32.exe 1792 Jkmeoa32.exe 2080 Jdejhfig.exe 2080 Jdejhfig.exe 2108 Jlckbh32.exe 2108 Jlckbh32.exe 2064 Knbhlkkc.exe 2064 Knbhlkkc.exe 980 Khlili32.exe 980 Khlili32.exe 1080 Kkmand32.exe 1080 Kkmand32.exe 1356 Kdefgj32.exe 1356 Kdefgj32.exe 2760 Kgfoie32.exe 2760 Kgfoie32.exe 1200 Lblcfnhj.exe 1200 Lblcfnhj.exe 596 Ldllgiek.exe 596 Ldllgiek.exe 948 Lgmeid32.exe 948 Lgmeid32.exe 944 Lgoboc32.exe 944 Lgoboc32.exe 1940 Mfdopp32.exe 1940 Mfdopp32.exe 1224 Mchoid32.exe 1224 Mchoid32.exe 2052 Mfihkoal.exe 2052 Mfihkoal.exe 2872 Mpamde32.exe 2872 Mpamde32.exe 2700 Mijamjnm.exe 2700 Mijamjnm.exe 2552 Meabakda.exe 2552 Meabakda.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oiifcdhn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lgdafeln.exe Process not Found File created C:\Windows\SysWOW64\Iplkimih.dll Nijnln32.exe File created C:\Windows\SysWOW64\Khadpa32.exe Koipglep.exe File created C:\Windows\SysWOW64\Bodhjdcc.exe Baqhapdj.exe File created C:\Windows\SysWOW64\Ejgeogmn.exe Eqopfbfn.exe File opened for modification C:\Windows\SysWOW64\Fkoqmhii.exe Fnkpcd32.exe File created C:\Windows\SysWOW64\Dihkimag.exe Dpofpg32.exe File created C:\Windows\SysWOW64\Hgbhibio.exe Process not Found File created C:\Windows\SysWOW64\Ccpeld32.exe Bkknac32.exe File opened for modification C:\Windows\SysWOW64\Oqlfhjch.exe Ogdaod32.exe File opened for modification C:\Windows\SysWOW64\Cedpdpdf.exe Cllkkk32.exe File created C:\Windows\SysWOW64\Bnqcaffa.exe Process not Found File created C:\Windows\SysWOW64\Liedae32.dll Fhkagonc.exe File created C:\Windows\SysWOW64\Bbfgiabg.exe Bhpclica.exe File created C:\Windows\SysWOW64\Kgelahmn.exe Kahciaog.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Mfjkdh32.exe Mcknhm32.exe File created C:\Windows\SysWOW64\Oehicoom.exe Ojceef32.exe File created C:\Windows\SysWOW64\Keniknoh.dll Process not Found File created C:\Windows\SysWOW64\Egmabg32.exe Eeldkonl.exe File created C:\Windows\SysWOW64\Ocaadj32.dll Lgngbmjp.exe File opened for modification C:\Windows\SysWOW64\Mqjefamk.exe Mgbaml32.exe File opened for modification C:\Windows\SysWOW64\Cpdhna32.exe Cjjpag32.exe File created C:\Windows\SysWOW64\Klfpkgea.dll Kogffida.exe File created C:\Windows\SysWOW64\Hnjdpm32.exe Process not Found File created C:\Windows\SysWOW64\Jjjdjp32.exe Process not Found File created C:\Windows\SysWOW64\Llpgep32.dll Doabjbci.exe File created C:\Windows\SysWOW64\Djiiddfd.dll Qaqlbmbn.exe File created C:\Windows\SysWOW64\Bhelghol.exe Blnkbg32.exe File created C:\Windows\SysWOW64\Pibbke32.dll Gjccbb32.exe File created C:\Windows\SysWOW64\Qooplh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mfdopp32.exe Lgoboc32.exe File created C:\Windows\SysWOW64\Acblbcob.dll Dpklkgoj.exe File opened for modification C:\Windows\SysWOW64\Epcddopf.exe Ebockkal.exe File created C:\Windows\SysWOW64\Jegphc32.dll Aeepjh32.exe File opened for modification C:\Windows\SysWOW64\Kdefgj32.exe Kkmand32.exe File created C:\Windows\SysWOW64\Ejebfdmb.dll Ijclol32.exe File created C:\Windows\SysWOW64\Pofhpf32.dll Ccgklc32.exe File opened for modification C:\Windows\SysWOW64\Ghibjjnk.exe Goqnae32.exe File opened for modification C:\Windows\SysWOW64\Igceej32.exe Ibfmmb32.exe File opened for modification C:\Windows\SysWOW64\Anbmbi32.exe Aeghng32.exe File created C:\Windows\SysWOW64\Bgmnpn32.exe Bdobdc32.exe File created C:\Windows\SysWOW64\Hhfnqbdc.dll Pjjkfe32.exe File created C:\Windows\SysWOW64\Fljkodkb.dll Ecbfmm32.exe File created C:\Windows\SysWOW64\Gjdfqh32.dll Lcneklck.exe File created C:\Windows\SysWOW64\Gccjpb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oepjoa32.exe Ncamen32.exe File opened for modification C:\Windows\SysWOW64\Oqgjdbpi.exe Oepjoa32.exe File created C:\Windows\SysWOW64\Acbbhobn.dll Dfngll32.exe File created C:\Windows\SysWOW64\Afndjdpe.exe Qaqlbmbn.exe File created C:\Windows\SysWOW64\Iigcobid.exe Hidfjckg.exe File created C:\Windows\SysWOW64\Fgbnbcmd.exe Flmidkmn.exe File opened for modification C:\Windows\SysWOW64\Khlili32.exe Knbhlkkc.exe File created C:\Windows\SysWOW64\Iahghfmb.dll Hofngkga.exe File created C:\Windows\SysWOW64\Kkifia32.dll Ebnabb32.exe File created C:\Windows\SysWOW64\Kcnhokob.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bnldjekl.exe Biolanld.exe File created C:\Windows\SysWOW64\Cjakccop.exe Cchbgi32.exe File opened for modification C:\Windows\SysWOW64\Fiqibj32.exe Ebfqfpop.exe File created C:\Windows\SysWOW64\Qmpebb32.dll Kenjgi32.exe File created C:\Windows\SysWOW64\Alfoikga.dll Gpeoakhc.exe File opened for modification C:\Windows\SysWOW64\Bkonkpqk.exe Process not Found File created C:\Windows\SysWOW64\Oikbkegk.dll Hkolakkb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5032 2552 Process not Found 1399 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lomglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafaaq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegnj32.dll" Akfnkmei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajnqphhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limhol32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cddlpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfeepelg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peqhgmdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agldbd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miapbpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegknghg.dll" Bhelghol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icgpcjpo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjbclamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkebebd.dll" Kmhhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndcjglje.dll" Hkbmil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjfgc32.dll" Lomglo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnodlj.dll" Emgioakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afpfqffb.dll" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaokbi32.dll" Gfcopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omldapkm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femijbfb.dll" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epkepakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dochelmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kepgmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpoolael.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfqfd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhgba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlhmkbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnjklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljkakol.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamle32.dll" Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdjelc32.dll" Gdodjlda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjgfacn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgnjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkdfmoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hehhqk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2096 2244 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2096 2244 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2096 2244 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2096 2244 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 28 PID 2096 wrote to memory of 2992 2096 Gbfiaj32.exe 29 PID 2096 wrote to memory of 2992 2096 Gbfiaj32.exe 29 PID 2096 wrote to memory of 2992 2096 Gbfiaj32.exe 29 PID 2096 wrote to memory of 2992 2096 Gbfiaj32.exe 29 PID 2992 wrote to memory of 2604 2992 Gmbfggdo.exe 30 PID 2992 wrote to memory of 2604 2992 Gmbfggdo.exe 30 PID 2992 wrote to memory of 2604 2992 Gmbfggdo.exe 30 PID 2992 wrote to memory of 2604 2992 Gmbfggdo.exe 30 PID 2604 wrote to memory of 2556 2604 Gjfgqk32.exe 31 PID 2604 wrote to memory of 2556 2604 Gjfgqk32.exe 31 PID 2604 wrote to memory of 2556 2604 Gjfgqk32.exe 31 PID 2604 wrote to memory of 2556 2604 Gjfgqk32.exe 31 PID 2556 wrote to memory of 2416 2556 Gcahoqhf.exe 32 PID 2556 wrote to memory of 2416 2556 Gcahoqhf.exe 32 PID 2556 wrote to memory of 2416 2556 Gcahoqhf.exe 32 PID 2556 wrote to memory of 2416 2556 Gcahoqhf.exe 32 PID 2416 wrote to memory of 2388 2416 Hnkion32.exe 33 PID 2416 wrote to memory of 2388 2416 Hnkion32.exe 33 PID 2416 wrote to memory of 2388 2416 Hnkion32.exe 33 PID 2416 wrote to memory of 2388 2416 Hnkion32.exe 33 PID 2388 wrote to memory of 2996 2388 Halbai32.exe 34 PID 2388 wrote to memory of 2996 2388 Halbai32.exe 34 PID 2388 wrote to memory of 2996 2388 Halbai32.exe 34 PID 2388 wrote to memory of 2996 2388 Halbai32.exe 34 PID 2996 wrote to memory of 2372 2996 Hjdfjo32.exe 35 PID 2996 wrote to memory of 2372 2996 Hjdfjo32.exe 35 PID 2996 wrote to memory of 2372 2996 Hjdfjo32.exe 35 PID 2996 wrote to memory of 2372 2996 Hjdfjo32.exe 35 PID 2372 wrote to memory of 2156 2372 Helgmg32.exe 36 PID 2372 wrote to memory of 2156 2372 Helgmg32.exe 36 PID 2372 wrote to memory of 2156 2372 Helgmg32.exe 36 PID 2372 wrote to memory of 2156 2372 Helgmg32.exe 36 PID 2156 wrote to memory of 2664 2156 Ipehmebh.exe 37 PID 2156 wrote to memory of 2664 2156 Ipehmebh.exe 37 PID 2156 wrote to memory of 2664 2156 Ipehmebh.exe 37 PID 2156 wrote to memory of 2664 2156 Ipehmebh.exe 37 PID 2664 wrote to memory of 2308 2664 Iipiljgf.exe 38 PID 2664 wrote to memory of 2308 2664 Iipiljgf.exe 38 PID 2664 wrote to memory of 2308 2664 Iipiljgf.exe 38 PID 2664 wrote to memory of 2308 2664 Iipiljgf.exe 38 PID 2308 wrote to memory of 1964 2308 Imnbbi32.exe 39 PID 2308 wrote to memory of 1964 2308 Imnbbi32.exe 39 PID 2308 wrote to memory of 1964 2308 Imnbbi32.exe 39 PID 2308 wrote to memory of 1964 2308 Imnbbi32.exe 39 PID 1964 wrote to memory of 2576 1964 Ibmgpoia.exe 40 PID 1964 wrote to memory of 2576 1964 Ibmgpoia.exe 40 PID 1964 wrote to memory of 2576 1964 Ibmgpoia.exe 40 PID 1964 wrote to memory of 2576 1964 Ibmgpoia.exe 40 PID 2576 wrote to memory of 1792 2576 Jhlmmfef.exe 41 PID 2576 wrote to memory of 1792 2576 Jhlmmfef.exe 41 PID 2576 wrote to memory of 1792 2576 Jhlmmfef.exe 41 PID 2576 wrote to memory of 1792 2576 Jhlmmfef.exe 41 PID 1792 wrote to memory of 2080 1792 Jkmeoa32.exe 42 PID 1792 wrote to memory of 2080 1792 Jkmeoa32.exe 42 PID 1792 wrote to memory of 2080 1792 Jkmeoa32.exe 42 PID 1792 wrote to memory of 2080 1792 Jkmeoa32.exe 42 PID 2080 wrote to memory of 2108 2080 Jdejhfig.exe 43 PID 2080 wrote to memory of 2108 2080 Jdejhfig.exe 43 PID 2080 wrote to memory of 2108 2080 Jdejhfig.exe 43 PID 2080 wrote to memory of 2108 2080 Jdejhfig.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe33⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe34⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe36⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe37⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe38⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe39⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe41⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe42⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe43⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe44⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe45⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe46⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe47⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe48⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe49⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe50⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe51⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe52⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe53⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe54⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe55⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe57⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe59⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe60⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe61⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe62⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe63⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe64⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe65⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe66⤵PID:2328
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe67⤵PID:1616
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe68⤵PID:464
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe69⤵PID:2136
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe70⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe71⤵PID:824
-
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe72⤵PID:908
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe73⤵PID:2856
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe74⤵PID:892
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe75⤵PID:2632
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe76⤵PID:2936
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe77⤵PID:2692
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe78⤵PID:2532
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe79⤵PID:2456
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe80⤵PID:1164
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe81⤵PID:1520
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe82⤵PID:1956
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe83⤵PID:2452
-
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe85⤵PID:2204
-
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe86⤵PID:1500
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe87⤵PID:2904
-
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe88⤵PID:3032
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe89⤵PID:3044
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe90⤵PID:884
-
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe91⤵PID:1412
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe92⤵PID:1304
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe93⤵PID:2236
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe94⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe95⤵PID:2364
-
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe96⤵PID:2868
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe97⤵PID:2512
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe98⤵PID:2396
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe99⤵PID:584
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe100⤵PID:836
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe101⤵PID:2340
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe102⤵PID:2184
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe104⤵PID:1048
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe105⤵PID:3064
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe106⤵PID:2280
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe107⤵PID:1288
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe108⤵PID:1344
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe109⤵PID:2720
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe110⤵PID:2536
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe111⤵PID:2500
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe112⤵PID:2880
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe113⤵PID:1732
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe114⤵PID:2380
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe115⤵PID:1296
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe116⤵PID:2004
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe117⤵PID:1540
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe118⤵PID:664
-
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe119⤵PID:1320
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe120⤵PID:1620
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe121⤵PID:580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-