Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 11:30
Behavioral task
behavioral1
Sample
dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
dcbb337664a10918e8213462e0d7ca80
-
SHA1
4d49f36ed7ece45714cd67a2452f66e08d1145b9
-
SHA256
867d29a28adb080b860bb4b56e0bcdc0523d4511de2817d8dd6134be803d9299
-
SHA512
f44129a0617db7e979857f8124706cdb95a0f873c5727315201f51171684a8fced01716a36e86efcced8f4a6dd8427b0932bc32a6fbfa608bc95ddf9ce2d8936
-
SSDEEP
24576:a+6vr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:KkB9f0VP91v92W805IPSOdKgzEoxrlQ3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpjkiogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eobapbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaapcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnogfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlnnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhhndno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdhhdqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhfhigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnheohcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpbpgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aognbnkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imgnjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfggkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjcabmga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cielhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhmofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bccjdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oimmjffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdldknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caokmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbhok32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001227b-5.dat family_berbew behavioral1/files/0x0008000000015cc7-18.dat family_berbew behavioral1/files/0x0007000000015cf0-32.dat family_berbew behavioral1/files/0x0007000000015d0c-51.dat family_berbew behavioral1/files/0x0038000000015c93-58.dat family_berbew behavioral1/files/0x0006000000016abb-78.dat family_berbew behavioral1/files/0x0006000000016c71-85.dat family_berbew behavioral1/files/0x0006000000016cc3-99.dat family_berbew behavioral1/files/0x0006000000016d1b-112.dat family_berbew behavioral1/files/0x0006000000016d34-125.dat family_berbew behavioral1/files/0x0006000000016d45-140.dat family_berbew behavioral1/files/0x0006000000016d61-160.dat family_berbew behavioral1/files/0x0006000000016d69-167.dat family_berbew behavioral1/files/0x0006000000016dda-181.dat family_berbew behavioral1/files/0x0006000000016de7-194.dat family_berbew behavioral1/files/0x0006000000017042-214.dat family_berbew behavioral1/files/0x0006000000017486-224.dat family_berbew behavioral1/files/0x0006000000018663-235.dat family_berbew behavioral1/files/0x001100000001867a-244.dat family_berbew behavioral1/files/0x00050000000186e6-251.dat family_berbew behavioral1/files/0x00050000000186ff-260.dat family_berbew behavioral1/files/0x000500000001873f-269.dat family_berbew behavioral1/files/0x000500000001878d-278.dat family_berbew behavioral1/files/0x0005000000019228-289.dat family_berbew behavioral1/files/0x000500000001925d-302.dat family_berbew behavioral1/files/0x0005000000019275-311.dat family_berbew behavioral1/files/0x0005000000019283-323.dat family_berbew behavioral1/memory/1144-324-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0005000000019381-332.dat family_berbew behavioral1/files/0x00050000000193a5-343.dat family_berbew behavioral1/files/0x0005000000019433-356.dat family_berbew behavioral1/files/0x0005000000019457-365.dat family_berbew behavioral1/memory/2716-379-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0005000000019491-376.dat family_berbew behavioral1/files/0x00050000000194b8-388.dat family_berbew behavioral1/memory/2008-400-0x00000000002F0000-0x0000000000323000-memory.dmp family_berbew behavioral1/files/0x00050000000194ef-397.dat family_berbew behavioral1/files/0x0005000000019507-410.dat family_berbew behavioral1/files/0x000500000001957d-419.dat family_berbew behavioral1/files/0x00050000000195e3-429.dat family_berbew behavioral1/files/0x000500000001961c-441.dat family_berbew behavioral1/files/0x000500000001961f-452.dat family_berbew behavioral1/memory/1428-458-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew behavioral1/files/0x0005000000019622-462.dat family_berbew behavioral1/files/0x0005000000019626-473.dat family_berbew behavioral1/files/0x0005000000019638-483.dat family_berbew behavioral1/files/0x00050000000196bd-494.dat family_berbew behavioral1/files/0x00050000000199b8-505.dat family_berbew behavioral1/files/0x0005000000019c54-517.dat family_berbew behavioral1/files/0x0005000000019c71-526.dat family_berbew behavioral1/files/0x0005000000019d60-535.dat family_berbew behavioral1/files/0x0005000000019dd5-544.dat family_berbew behavioral1/files/0x0005000000019fd8-558.dat family_berbew behavioral1/files/0x000500000001a09c-568.dat family_berbew behavioral1/files/0x000500000001a320-579.dat family_berbew behavioral1/files/0x000500000001a43c-592.dat family_berbew behavioral1/files/0x000500000001a440-605.dat family_berbew behavioral1/files/0x000500000001a44b-615.dat family_berbew behavioral1/files/0x000500000001a4a9-627.dat family_berbew behavioral1/files/0x000500000001a4b1-638.dat family_berbew behavioral1/files/0x000500000001a4c7-653.dat family_berbew behavioral1/files/0x000500000001a4cf-662.dat family_berbew behavioral1/files/0x000500000001a4d3-673.dat family_berbew behavioral1/files/0x000500000001a4d7-681.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 344 Bokphdld.exe 2448 Bpafkknm.exe 2712 Cgpgce32.exe 2900 Cjbmjplb.exe 1284 Cdlnkmha.exe 2532 Dqhhknjp.exe 2276 Eihfjo32.exe 3040 Ekklaj32.exe 2612 Flabbihl.exe 764 Filldb32.exe 2616 Gonnhhln.exe 2988 Gieojq32.exe 1484 Hpkjko32.exe 2116 Hkpnhgge.exe 1952 Ilknfn32.exe 1904 Iblpjdpk.exe 1068 Jgnamk32.exe 584 Jmocpado.exe 2324 Jejhecaj.exe 2352 Jnclnihj.exe 1512 Kaceodek.exe 1340 Kgnnln32.exe 1028 Kfbkmk32.exe 552 Kgbggnhc.exe 288 Kcihlong.exe 1144 Kfgdhjmk.exe 2040 Lpbefoai.exe 1560 Lbqabkql.exe 492 Leajdfnm.exe 2656 Llkbap32.exe 2716 Ldfgebbe.exe 2688 Mggpgmof.exe 2008 Mhgmapfi.exe 2780 Mkeimlfm.exe 1588 Mmfbogcn.exe 1376 Mpdnkb32.exe 2092 Moiklogi.exe 1428 Meccii32.exe 2500 Nhdlkdkg.exe 2956 Ncjqhmkm.exe 1808 Nncahjgl.exe 1756 Nhiffc32.exe 2260 Ngnbgplj.exe 2916 Nnhkcj32.exe 480 Olmhdf32.exe 804 Ocgpappk.exe 1252 Onmdoioa.exe 440 Oonafa32.exe 1344 Ombapedi.exe 1064 Obojhlbq.exe 2936 Ojfaijcc.exe 2884 Omdneebf.exe 1700 Ooeggp32.exe 2192 Pfoocjfd.exe 796 Pgplkb32.exe 2608 Pnjdhmdo.exe 2704 Pqhpdhcc.exe 832 Pefijfii.exe 2680 Pkpagq32.exe 3004 Pjcabmga.exe 2992 Pggbla32.exe 2808 Pmdjdh32.exe 1628 Qbcpbo32.exe 2836 Aipddi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2428 dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe 2428 dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe 344 Bokphdld.exe 344 Bokphdld.exe 2448 Bpafkknm.exe 2448 Bpafkknm.exe 2712 Cgpgce32.exe 2712 Cgpgce32.exe 2900 Cjbmjplb.exe 2900 Cjbmjplb.exe 1284 Cdlnkmha.exe 1284 Cdlnkmha.exe 2532 Dqhhknjp.exe 2532 Dqhhknjp.exe 2276 Eihfjo32.exe 2276 Eihfjo32.exe 3040 Ekklaj32.exe 3040 Ekklaj32.exe 2612 Flabbihl.exe 2612 Flabbihl.exe 764 Filldb32.exe 764 Filldb32.exe 2616 Gonnhhln.exe 2616 Gonnhhln.exe 2988 Gieojq32.exe 2988 Gieojq32.exe 1484 Hpkjko32.exe 1484 Hpkjko32.exe 2116 Hkpnhgge.exe 2116 Hkpnhgge.exe 1952 Ilknfn32.exe 1952 Ilknfn32.exe 1904 Iblpjdpk.exe 1904 Iblpjdpk.exe 1068 Jgnamk32.exe 1068 Jgnamk32.exe 584 Jmocpado.exe 584 Jmocpado.exe 2324 Jejhecaj.exe 2324 Jejhecaj.exe 2352 Jnclnihj.exe 2352 Jnclnihj.exe 1512 Kaceodek.exe 1512 Kaceodek.exe 1340 Kgnnln32.exe 1340 Kgnnln32.exe 1028 Kfbkmk32.exe 1028 Kfbkmk32.exe 552 Kgbggnhc.exe 552 Kgbggnhc.exe 288 Kcihlong.exe 288 Kcihlong.exe 1144 Kfgdhjmk.exe 1144 Kfgdhjmk.exe 2040 Lpbefoai.exe 2040 Lpbefoai.exe 1560 Lbqabkql.exe 1560 Lbqabkql.exe 492 Leajdfnm.exe 492 Leajdfnm.exe 2656 Llkbap32.exe 2656 Llkbap32.exe 2716 Ldfgebbe.exe 2716 Ldfgebbe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nedmeekj.dll Deakjjbk.exe File created C:\Windows\SysWOW64\Gkaobghp.dll Iediin32.exe File created C:\Windows\SysWOW64\Ebfqfpop.exe Einlmkhp.exe File opened for modification C:\Windows\SysWOW64\Icfbkded.exe Ioiidfon.exe File created C:\Windows\SysWOW64\Pfmnocmn.dll Gqodqodl.exe File created C:\Windows\SysWOW64\Oqjibkek.exe Process not Found File created C:\Windows\SysWOW64\Hleqai32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Cinafkkd.exe File created C:\Windows\SysWOW64\Iimfgo32.dll Bhndldcn.exe File created C:\Windows\SysWOW64\Edibhmml.exe Elajgpmj.exe File opened for modification C:\Windows\SysWOW64\Jgmaog32.exe Jacibm32.exe File created C:\Windows\SysWOW64\Malbbh32.dll Dcjjkkji.exe File created C:\Windows\SysWOW64\Fjiegbjj.dll Process not Found File created C:\Windows\SysWOW64\Aaaoij32.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Igebkiof.exe Ijaaae32.exe File created C:\Windows\SysWOW64\Lcobciom.dll Ofafgipc.exe File created C:\Windows\SysWOW64\Oabplobe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Clhecl32.exe Process not Found File created C:\Windows\SysWOW64\Pojhbfni.dll Jhmofo32.exe File opened for modification C:\Windows\SysWOW64\Dibhjokm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Neblqoel.exe Process not Found File created C:\Windows\SysWOW64\Mhhgpc32.exe Mfgnnhkc.exe File created C:\Windows\SysWOW64\Pjddaagq.dll Gpidki32.exe File created C:\Windows\SysWOW64\Gaeqmk32.exe Fogdap32.exe File created C:\Windows\SysWOW64\Hhfkihon.exe Hnnjfo32.exe File opened for modification C:\Windows\SysWOW64\Gjpqpl32.exe Fdbhge32.exe File opened for modification C:\Windows\SysWOW64\Nigldq32.exe Nbmdhfog.exe File created C:\Windows\SysWOW64\Lglmefcg.exe Lhimji32.exe File created C:\Windows\SysWOW64\Llohjo32.exe Lmikibio.exe File created C:\Windows\SysWOW64\Dkabpebk.dll Mkddnf32.exe File opened for modification C:\Windows\SysWOW64\Bplijcle.exe Bpjldc32.exe File created C:\Windows\SysWOW64\Caccmo32.dll Process not Found File created C:\Windows\SysWOW64\Cadbgifg.dll Process not Found File created C:\Windows\SysWOW64\Opakbgif.dll Ciifbchf.exe File opened for modification C:\Windows\SysWOW64\Hhkopj32.exe Gglbfg32.exe File created C:\Windows\SysWOW64\Bkofkccd.dll Process not Found File created C:\Windows\SysWOW64\Gaihob32.exe Goiongbc.exe File created C:\Windows\SysWOW64\Hapicp32.exe Hmdmcanc.exe File created C:\Windows\SysWOW64\Kcebfo32.dll Kjllab32.exe File created C:\Windows\SysWOW64\Pgegok32.exe Pdgkco32.exe File created C:\Windows\SysWOW64\Nhadao32.dll Qndigd32.exe File created C:\Windows\SysWOW64\Edhnbelc.dll Gkhaooec.exe File created C:\Windows\SysWOW64\Lqgjkbop.exe Process not Found File created C:\Windows\SysWOW64\Dkqmaqbm.dll Jmplcp32.exe File created C:\Windows\SysWOW64\Npojdpef.exe Nkbalifo.exe File opened for modification C:\Windows\SysWOW64\Klehgh32.exe Kfkpknkq.exe File created C:\Windows\SysWOW64\Gkhaooec.exe Gdnibdmf.exe File opened for modification C:\Windows\SysWOW64\Hajhpgag.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hdkaabnh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bdgafdfp.exe File created C:\Windows\SysWOW64\Joildhiq.dll Hekefkig.exe File created C:\Windows\SysWOW64\Fdlfii32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lighjd32.exe Process not Found File created C:\Windows\SysWOW64\Giaidnkf.exe Gpidki32.exe File created C:\Windows\SysWOW64\Ocaadj32.dll Lngpog32.exe File opened for modification C:\Windows\SysWOW64\Nebnigmp.exe Process not Found File created C:\Windows\SysWOW64\Bmhkmm32.exe Bfncpcoc.exe File opened for modification C:\Windows\SysWOW64\Nmofdf32.exe Nnleiipc.exe File created C:\Windows\SysWOW64\Dadfhdil.dll Efljhq32.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jipaip32.exe File opened for modification C:\Windows\SysWOW64\Ncfjajma.exe Nkobpmlo.exe File created C:\Windows\SysWOW64\Feipbefb.exe Fnogfk32.exe File created C:\Windows\SysWOW64\Pipfnehe.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iagaod32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4772 4972 Process not Found 1339 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icijhlgk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmodmbk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkkdd32.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llgljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnmdf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaqjmil.dll" Oaogognm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgfhpob.dll" Mioabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klehgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcobciom.dll" Ofafgipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aiaqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcebfo32.dll" Kjllab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaidoiaj.dll" Mlkail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olgmcmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbleodi.dll" Jgbjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efqbglen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Dbabho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhfkihon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll" Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojceef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnnqifi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llhmmh32.dll" Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elilld32.dll" Egikjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijphofem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdijm32.dll" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amcbankf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbaljk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhnbelc.dll" Gkhaooec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijjok32.dll" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfggkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkehj32.dll" Lbogfcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodek32.dll" Cljodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bccjdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbdhfp32.dll" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fblloc32.dll" Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmihjfj.dll" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blniinac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlfejcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnmlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbiahjpi.dll" Ehnfpifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Einebddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffibkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flabdecn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 344 2428 dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe 28 PID 2428 wrote to memory of 344 2428 dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe 28 PID 2428 wrote to memory of 344 2428 dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe 28 PID 2428 wrote to memory of 344 2428 dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe 28 PID 344 wrote to memory of 2448 344 Bokphdld.exe 29 PID 344 wrote to memory of 2448 344 Bokphdld.exe 29 PID 344 wrote to memory of 2448 344 Bokphdld.exe 29 PID 344 wrote to memory of 2448 344 Bokphdld.exe 29 PID 2448 wrote to memory of 2712 2448 Bpafkknm.exe 30 PID 2448 wrote to memory of 2712 2448 Bpafkknm.exe 30 PID 2448 wrote to memory of 2712 2448 Bpafkknm.exe 30 PID 2448 wrote to memory of 2712 2448 Bpafkknm.exe 30 PID 2712 wrote to memory of 2900 2712 Cgpgce32.exe 31 PID 2712 wrote to memory of 2900 2712 Cgpgce32.exe 31 PID 2712 wrote to memory of 2900 2712 Cgpgce32.exe 31 PID 2712 wrote to memory of 2900 2712 Cgpgce32.exe 31 PID 2900 wrote to memory of 1284 2900 Cjbmjplb.exe 32 PID 2900 wrote to memory of 1284 2900 Cjbmjplb.exe 32 PID 2900 wrote to memory of 1284 2900 Cjbmjplb.exe 32 PID 2900 wrote to memory of 1284 2900 Cjbmjplb.exe 32 PID 1284 wrote to memory of 2532 1284 Cdlnkmha.exe 33 PID 1284 wrote to memory of 2532 1284 Cdlnkmha.exe 33 PID 1284 wrote to memory of 2532 1284 Cdlnkmha.exe 33 PID 1284 wrote to memory of 2532 1284 Cdlnkmha.exe 33 PID 2532 wrote to memory of 2276 2532 Dqhhknjp.exe 34 PID 2532 wrote to memory of 2276 2532 Dqhhknjp.exe 34 PID 2532 wrote to memory of 2276 2532 Dqhhknjp.exe 34 PID 2532 wrote to memory of 2276 2532 Dqhhknjp.exe 34 PID 2276 wrote to memory of 3040 2276 Eihfjo32.exe 35 PID 2276 wrote to memory of 3040 2276 Eihfjo32.exe 35 PID 2276 wrote to memory of 3040 2276 Eihfjo32.exe 35 PID 2276 wrote to memory of 3040 2276 Eihfjo32.exe 35 PID 3040 wrote to memory of 2612 3040 Ekklaj32.exe 36 PID 3040 wrote to memory of 2612 3040 Ekklaj32.exe 36 PID 3040 wrote to memory of 2612 3040 Ekklaj32.exe 36 PID 3040 wrote to memory of 2612 3040 Ekklaj32.exe 36 PID 2612 wrote to memory of 764 2612 Flabbihl.exe 37 PID 2612 wrote to memory of 764 2612 Flabbihl.exe 37 PID 2612 wrote to memory of 764 2612 Flabbihl.exe 37 PID 2612 wrote to memory of 764 2612 Flabbihl.exe 37 PID 764 wrote to memory of 2616 764 Filldb32.exe 38 PID 764 wrote to memory of 2616 764 Filldb32.exe 38 PID 764 wrote to memory of 2616 764 Filldb32.exe 38 PID 764 wrote to memory of 2616 764 Filldb32.exe 38 PID 2616 wrote to memory of 2988 2616 Gonnhhln.exe 39 PID 2616 wrote to memory of 2988 2616 Gonnhhln.exe 39 PID 2616 wrote to memory of 2988 2616 Gonnhhln.exe 39 PID 2616 wrote to memory of 2988 2616 Gonnhhln.exe 39 PID 2988 wrote to memory of 1484 2988 Gieojq32.exe 40 PID 2988 wrote to memory of 1484 2988 Gieojq32.exe 40 PID 2988 wrote to memory of 1484 2988 Gieojq32.exe 40 PID 2988 wrote to memory of 1484 2988 Gieojq32.exe 40 PID 1484 wrote to memory of 2116 1484 Hpkjko32.exe 41 PID 1484 wrote to memory of 2116 1484 Hpkjko32.exe 41 PID 1484 wrote to memory of 2116 1484 Hpkjko32.exe 41 PID 1484 wrote to memory of 2116 1484 Hpkjko32.exe 41 PID 2116 wrote to memory of 1952 2116 Hkpnhgge.exe 42 PID 2116 wrote to memory of 1952 2116 Hkpnhgge.exe 42 PID 2116 wrote to memory of 1952 2116 Hkpnhgge.exe 42 PID 2116 wrote to memory of 1952 2116 Hkpnhgge.exe 42 PID 1952 wrote to memory of 1904 1952 Ilknfn32.exe 43 PID 1952 wrote to memory of 1904 1952 Ilknfn32.exe 43 PID 1952 wrote to memory of 1904 1952 Ilknfn32.exe 43 PID 1952 wrote to memory of 1904 1952 Ilknfn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dcbb337664a10918e8213462e0d7ca80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:492 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe34⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe35⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe36⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe38⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe39⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe40⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe41⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe43⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe44⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe45⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe46⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe47⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe48⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe49⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe50⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe52⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe53⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe54⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe55⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe56⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe58⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe59⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe60⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe62⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe63⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe64⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe65⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe66⤵PID:2168
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe67⤵PID:2128
-
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe68⤵PID:1416
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe69⤵PID:1676
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe70⤵PID:1612
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe71⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe72⤵PID:1900
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe73⤵
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe74⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe75⤵PID:1624
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe76⤵PID:1928
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe77⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe78⤵PID:1632
-
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe79⤵PID:2772
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe80⤵PID:2332
-
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe81⤵PID:3036
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe82⤵PID:2316
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe83⤵PID:2840
-
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe84⤵PID:2820
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe85⤵PID:2244
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe86⤵PID:264
-
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe87⤵PID:1096
-
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe88⤵PID:300
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe89⤵PID:1856
-
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe90⤵PID:2372
-
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe91⤵PID:2464
-
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe92⤵PID:2952
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe93⤵PID:1724
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe94⤵PID:2912
-
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe95⤵PID:2668
-
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe96⤵PID:2556
-
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe97⤵PID:2524
-
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe98⤵PID:1924
-
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe99⤵PID:2748
-
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe100⤵PID:2856
-
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe101⤵PID:1912
-
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe103⤵PID:1660
-
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe104⤵PID:2344
-
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe105⤵PID:2284
-
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe107⤵PID:2908
-
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe108⤵PID:2020
-
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe109⤵PID:2804
-
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe110⤵PID:2708
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe111⤵PID:2572
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe112⤵PID:3024
-
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe113⤵PID:2636
-
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe114⤵PID:2488
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe115⤵PID:2752
-
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe116⤵PID:2496
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe117⤵PID:840
-
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe118⤵PID:2480
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe119⤵PID:1848
-
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe120⤵PID:2892
-
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe121⤵PID:2596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-