Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:19
Behavioral task
behavioral1
Sample
5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
12cf9a525ad334a9b69489c406008cf0
-
SHA1
c8b30ed5ca11fe4455926f63bb8a6efc68a6a3fa
-
SHA256
5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80
-
SHA512
761d0b5af8fff18ede9a8443d0841a182d3efb06ce8e8bb752867d540a9880b1b37fde69780a611563969b9fdccabdd301c5296df03239a226ec5398c50d12c7
-
SSDEEP
24576:Ivr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:IkB9f0VP91v92W805IPSOdKgzEoxrlQ3
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqomci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqcfnhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaqmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpeeqig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abhkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjleflod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfqahgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphidanj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhlnhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klehgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeidgbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfhil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeeecekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkifhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edccch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000013143-5.dat family_berbew behavioral1/files/0x0007000000015cdb-20.dat family_berbew behavioral1/files/0x000a000000015d6e-49.dat family_berbew behavioral1/files/0x0007000000015cf7-42.dat family_berbew behavioral1/files/0x0006000000016c7a-64.dat family_berbew behavioral1/files/0x0006000000016cc9-85.dat family_berbew behavioral1/files/0x0036000000015cad-93.dat family_berbew behavioral1/files/0x0006000000016cf5-114.dat family_berbew behavioral1/files/0x0006000000016d06-121.dat family_berbew behavioral1/files/0x0006000000016d17-141.dat family_berbew behavioral1/files/0x0006000000016d27-152.dat family_berbew behavioral1/files/0x0006000000016d40-166.dat family_berbew behavioral1/files/0x0006000000016d4b-176.dat family_berbew behavioral1/files/0x0006000000016f82-196.dat family_berbew behavioral1/files/0x0006000000017185-205.dat family_berbew behavioral1/files/0x0006000000017387-224.dat family_berbew behavioral1/files/0x0009000000018648-239.dat family_berbew behavioral1/files/0x0006000000017465-232.dat family_berbew behavioral1/files/0x000500000001865b-250.dat family_berbew behavioral1/files/0x000500000001876e-292.dat family_berbew behavioral1/memory/2152-324-0x00000000002D0000-0x0000000000303000-memory.dmp family_berbew behavioral1/files/0x00050000000193fa-355.dat family_berbew behavioral1/files/0x00050000000195f6-450.dat family_berbew behavioral1/files/0x0005000000019809-506.dat family_berbew behavioral1/files/0x0005000000019995-515.dat family_berbew behavioral1/files/0x0005000000019c8d-538.dat family_berbew behavioral1/files/0x0005000000019d96-551.dat family_berbew behavioral1/files/0x000500000001a013-574.dat family_berbew behavioral1/files/0x000500000001a07f-586.dat family_berbew behavioral1/files/0x000500000001a42c-607.dat family_berbew behavioral1/files/0x000500000001a488-642.dat family_berbew behavioral1/files/0x000500000001a4ba-695.dat family_berbew behavioral1/files/0x000500000001a4be-704.dat family_berbew behavioral1/files/0x000500000001a4cb-736.dat family_berbew behavioral1/files/0x000500000001a4cf-748.dat family_berbew behavioral1/files/0x000500000001a4df-780.dat family_berbew behavioral1/files/0x000500000001a4d8-771.dat family_berbew behavioral1/files/0x000500000001a4d4-757.dat family_berbew behavioral1/files/0x000500000001a4e7-807.dat family_berbew behavioral1/files/0x000500000001a4f0-819.dat family_berbew behavioral1/files/0x000500000001a4f9-844.dat family_berbew behavioral1/files/0x000500000001a500-859.dat family_berbew behavioral1/files/0x000500000001a743-875.dat family_berbew behavioral1/files/0x000500000001c64f-903.dat family_berbew behavioral1/files/0x000500000001c71e-915.dat family_berbew behavioral1/files/0x000500000001c75e-927.dat family_berbew behavioral1/files/0x000500000001c84a-956.dat family_berbew behavioral1/files/0x000500000001c862-980.dat family_berbew behavioral1/files/0x000500000001c888-1015.dat family_berbew behavioral1/files/0x000500000001c891-1037.dat family_berbew behavioral1/files/0x000500000001c89a-1064.dat family_berbew behavioral1/files/0x000500000001c8a0-1079.dat family_berbew behavioral1/files/0x000500000001c8aa-1105.dat family_berbew behavioral1/files/0x000500000001c8ae-1117.dat family_berbew behavioral1/files/0x000500000001c8a5-1093.dat family_berbew behavioral1/files/0x000500000001c8b2-1129.dat family_berbew behavioral1/files/0x000500000001c895-1054.dat family_berbew behavioral1/files/0x000500000001c8ba-1156.dat family_berbew behavioral1/files/0x000400000001c946-1209.dat family_berbew behavioral1/files/0x000400000001c94d-1221.dat family_berbew behavioral1/files/0x000400000001ca23-1239.dat family_berbew behavioral1/files/0x000400000001caca-1249.dat family_berbew behavioral1/files/0x000400000001cb5b-1270.dat family_berbew behavioral1/files/0x000400000001cb93-1322.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1708 Paggai32.exe 2988 Piehkkcl.exe 2596 Pigeqkai.exe 2604 Phjelg32.exe 2492 Qnfjna32.exe 2564 Qjmkcbcb.exe 1952 Admemg32.exe 2624 Aiinen32.exe 2304 Boiccdnf.exe 1652 Bagpopmj.exe 1816 Bbflib32.exe 2296 Bloqah32.exe 1736 Bdjefj32.exe 2844 Bcaomf32.exe 1096 Cjbmjplb.exe 1664 Ckdjbh32.exe 1164 Cfinoq32.exe 1120 Chhjkl32.exe 1056 Dflkdp32.exe 1880 Dkhcmgnl.exe 1804 Dbbkja32.exe 964 Dbehoa32.exe 2528 Ddeaalpg.exe 2000 Djbiicon.exe 2152 Dqlafm32.exe 2884 Dfijnd32.exe 2892 Eihfjo32.exe 2584 Ecmkghcl.exe 2656 Eflgccbp.exe 2616 Eijcpoac.exe 2908 Ecpgmhai.exe 2704 Eilpeooq.exe 2780 Ekklaj32.exe 2684 Enihne32.exe 2360 Eiomkn32.exe 2472 Egamfkdh.exe 2308 Ebgacddo.exe 2292 Eeempocb.exe 1824 Egdilkbf.exe 1964 Ennaieib.exe 644 Faokjpfd.exe 872 Fcmgfkeg.exe 1820 Fnbkddem.exe 292 Fpdhklkl.exe 2896 Ffnphf32.exe 920 Filldb32.exe 560 Facdeo32.exe 996 Fdapak32.exe 2944 Ffpmnf32.exe 3024 Fioija32.exe 2984 Fmjejphb.exe 1616 Fddmgjpo.exe 2880 Feeiob32.exe 2648 Fiaeoang.exe 2016 Fmlapp32.exe 2588 Gpknlk32.exe 1200 Gonnhhln.exe 2052 Gegfdb32.exe 820 Glaoalkh.exe 1412 Gpmjak32.exe 576 Gangic32.exe 3040 Gieojq32.exe 452 Ghhofmql.exe 540 Gkgkbipp.exe -
Loads dropped DLL 64 IoCs
pid Process 2868 5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe 2868 5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe 1708 Paggai32.exe 1708 Paggai32.exe 2988 Piehkkcl.exe 2988 Piehkkcl.exe 2596 Pigeqkai.exe 2596 Pigeqkai.exe 2604 Phjelg32.exe 2604 Phjelg32.exe 2492 Qnfjna32.exe 2492 Qnfjna32.exe 2564 Qjmkcbcb.exe 2564 Qjmkcbcb.exe 1952 Admemg32.exe 1952 Admemg32.exe 2624 Aiinen32.exe 2624 Aiinen32.exe 2304 Boiccdnf.exe 2304 Boiccdnf.exe 1652 Bagpopmj.exe 1652 Bagpopmj.exe 1816 Bbflib32.exe 1816 Bbflib32.exe 2296 Bloqah32.exe 2296 Bloqah32.exe 1736 Bdjefj32.exe 1736 Bdjefj32.exe 2844 Bcaomf32.exe 2844 Bcaomf32.exe 1096 Cjbmjplb.exe 1096 Cjbmjplb.exe 1664 Ckdjbh32.exe 1664 Ckdjbh32.exe 1164 Cfinoq32.exe 1164 Cfinoq32.exe 1120 Chhjkl32.exe 1120 Chhjkl32.exe 1056 Dflkdp32.exe 1056 Dflkdp32.exe 1880 Dkhcmgnl.exe 1880 Dkhcmgnl.exe 1804 Dbbkja32.exe 1804 Dbbkja32.exe 964 Dbehoa32.exe 964 Dbehoa32.exe 2528 Ddeaalpg.exe 2528 Ddeaalpg.exe 2000 Djbiicon.exe 2000 Djbiicon.exe 2152 Dqlafm32.exe 2152 Dqlafm32.exe 2884 Dfijnd32.exe 2884 Dfijnd32.exe 2892 Eihfjo32.exe 2892 Eihfjo32.exe 2584 Ecmkghcl.exe 2584 Ecmkghcl.exe 2656 Eflgccbp.exe 2656 Eflgccbp.exe 2616 Eijcpoac.exe 2616 Eijcpoac.exe 2908 Ecpgmhai.exe 2908 Ecpgmhai.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Comdkipe.exe Ckahkk32.exe File opened for modification C:\Windows\SysWOW64\Ehmdgp32.exe Process not Found File created C:\Windows\SysWOW64\Eknmhk32.exe Process not Found File created C:\Windows\SysWOW64\Lhbcfa32.exe Lecgje32.exe File opened for modification C:\Windows\SysWOW64\Mponel32.exe Mlcbenjb.exe File created C:\Windows\SysWOW64\Aeaceffc.dll Meppiblm.exe File opened for modification C:\Windows\SysWOW64\Pngphgbf.exe Pjldghjm.exe File opened for modification C:\Windows\SysWOW64\Jgncfcaa.exe Jcbhee32.exe File created C:\Windows\SysWOW64\Nnennj32.exe Nocnbmoo.exe File created C:\Windows\SysWOW64\Ghfnkn32.dll Ginnnooi.exe File created C:\Windows\SysWOW64\Mbkmlh32.exe Mooaljkh.exe File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe Process not Found File created C:\Windows\SysWOW64\Kpkofpgq.exe Kahojc32.exe File created C:\Windows\SysWOW64\Dkgippgb.exe Cejphiik.exe File created C:\Windows\SysWOW64\Gjhmge32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Npgihn32.exe Nmhmlbkk.exe File created C:\Windows\SysWOW64\Ehlenfjb.dll Hjipenda.exe File created C:\Windows\SysWOW64\Nhdhif32.exe Npmphinm.exe File created C:\Windows\SysWOW64\Mdkqqa32.exe Mamddf32.exe File opened for modification C:\Windows\SysWOW64\Jjmpbopd.exe Jgncfcaa.exe File opened for modification C:\Windows\SysWOW64\Jonbee32.exe Jlpeij32.exe File created C:\Windows\SysWOW64\Oedcmfgb.dll Khkpijma.exe File created C:\Windows\SysWOW64\Lbcpac32.exe Lpedeg32.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Fjdnlhco.exe Ffibkj32.exe File created C:\Windows\SysWOW64\Nabopjmj.exe Process not Found File created C:\Windows\SysWOW64\Cnfqccna.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ileiplhn.exe Icmegf32.exe File created C:\Windows\SysWOW64\Biojif32.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Jgfklg32.dll Process not Found File created C:\Windows\SysWOW64\Goiebopf.dll Process not Found File created C:\Windows\SysWOW64\Jikeeh32.exe Process not Found File created C:\Windows\SysWOW64\Ckgkkllh.dll Dlnbeh32.exe File created C:\Windows\SysWOW64\Aobcmana.dll Pmccjbaf.exe File opened for modification C:\Windows\SysWOW64\Qflhbhgg.exe Qbplbi32.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Paggai32.exe File opened for modification C:\Windows\SysWOW64\Lapnnafn.exe Lghjel32.exe File created C:\Windows\SysWOW64\Iaonhm32.exe Incbgnmc.exe File created C:\Windows\SysWOW64\Fhbhji32.dll Bnkbam32.exe File opened for modification C:\Windows\SysWOW64\Gnpflj32.exe Ggfnopfg.exe File created C:\Windows\SysWOW64\Nhfipcid.exe Nhdlkdkg.exe File created C:\Windows\SysWOW64\Ileiplhn.exe Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Ikefkcmo.exe Ionefb32.exe File created C:\Windows\SysWOW64\Fdgibphb.dll Process not Found File created C:\Windows\SysWOW64\Ddpobo32.exe Process not Found File created C:\Windows\SysWOW64\Ghcoqh32.exe Gedbdlbb.exe File created C:\Windows\SysWOW64\Lhnnjk32.dll Pomfkndo.exe File opened for modification C:\Windows\SysWOW64\Dcccpl32.exe Dohgomgf.exe File opened for modification C:\Windows\SysWOW64\Ffibkj32.exe Fcjeon32.exe File created C:\Windows\SysWOW64\Moeinj32.dll Process not Found File created C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Diphbfdi.exe Daipqhdg.exe File created C:\Windows\SysWOW64\Gepafc32.exe Process not Found File created C:\Windows\SysWOW64\Jddnncch.dll Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Pnajilng.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qimhoi32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Mgalqkbk.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Emnndlod.exe File created C:\Windows\SysWOW64\Mjcoqdoc.exe Mcifdj32.exe File created C:\Windows\SysWOW64\Ddnfop32.exe Dlgnmb32.exe File created C:\Windows\SysWOW64\Dlndnacm.exe Diphbfdi.exe File created C:\Windows\SysWOW64\Nlhqhm32.dll Gnpmfqap.exe File created C:\Windows\SysWOW64\Qmdnng32.dll Pojbkh32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Delgfamk.¾ll Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cckdlnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olgmcmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bncaekhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqdipqbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnlcdfj.dll" Ikpmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hnojdcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhdlkdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbogfcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkjpo32.dll" Fokdfajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epbfmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhohda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kopokehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heapkela.dll" Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jemoqj32.dll" Fdhlnhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meccmfen.dll" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgcbbda.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlcld32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocalkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqlafm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkjkkdg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmmdp32.dll" Gbqbaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cejmcm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbipbbd.dll" Jfiale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmbpmapf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeiloh32.dll" Jgncfcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffjegma.dll" Ooqpdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhcmc32.dll" Ocohkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooafm32.dll" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gedbdlbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aibajhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehmbng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebgacddo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 1708 2868 5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe 28 PID 2868 wrote to memory of 1708 2868 5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe 28 PID 2868 wrote to memory of 1708 2868 5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe 28 PID 2868 wrote to memory of 1708 2868 5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe 28 PID 1708 wrote to memory of 2988 1708 Paggai32.exe 29 PID 1708 wrote to memory of 2988 1708 Paggai32.exe 29 PID 1708 wrote to memory of 2988 1708 Paggai32.exe 29 PID 1708 wrote to memory of 2988 1708 Paggai32.exe 29 PID 2988 wrote to memory of 2596 2988 Piehkkcl.exe 30 PID 2988 wrote to memory of 2596 2988 Piehkkcl.exe 30 PID 2988 wrote to memory of 2596 2988 Piehkkcl.exe 30 PID 2988 wrote to memory of 2596 2988 Piehkkcl.exe 30 PID 2596 wrote to memory of 2604 2596 Pigeqkai.exe 31 PID 2596 wrote to memory of 2604 2596 Pigeqkai.exe 31 PID 2596 wrote to memory of 2604 2596 Pigeqkai.exe 31 PID 2596 wrote to memory of 2604 2596 Pigeqkai.exe 31 PID 2604 wrote to memory of 2492 2604 Phjelg32.exe 818 PID 2604 wrote to memory of 2492 2604 Phjelg32.exe 818 PID 2604 wrote to memory of 2492 2604 Phjelg32.exe 818 PID 2604 wrote to memory of 2492 2604 Phjelg32.exe 818 PID 2492 wrote to memory of 2564 2492 Qnfjna32.exe 1229 PID 2492 wrote to memory of 2564 2492 Qnfjna32.exe 1229 PID 2492 wrote to memory of 2564 2492 Qnfjna32.exe 1229 PID 2492 wrote to memory of 2564 2492 Qnfjna32.exe 1229 PID 2564 wrote to memory of 1952 2564 Qjmkcbcb.exe 34 PID 2564 wrote to memory of 1952 2564 Qjmkcbcb.exe 34 PID 2564 wrote to memory of 1952 2564 Qjmkcbcb.exe 34 PID 2564 wrote to memory of 1952 2564 Qjmkcbcb.exe 34 PID 1952 wrote to memory of 2624 1952 Admemg32.exe 35 PID 1952 wrote to memory of 2624 1952 Admemg32.exe 35 PID 1952 wrote to memory of 2624 1952 Admemg32.exe 35 PID 1952 wrote to memory of 2624 1952 Admemg32.exe 35 PID 2624 wrote to memory of 2304 2624 Aiinen32.exe 36 PID 2624 wrote to memory of 2304 2624 Aiinen32.exe 36 PID 2624 wrote to memory of 2304 2624 Aiinen32.exe 36 PID 2624 wrote to memory of 2304 2624 Aiinen32.exe 36 PID 2304 wrote to memory of 1652 2304 Boiccdnf.exe 37 PID 2304 wrote to memory of 1652 2304 Boiccdnf.exe 37 PID 2304 wrote to memory of 1652 2304 Boiccdnf.exe 37 PID 2304 wrote to memory of 1652 2304 Boiccdnf.exe 37 PID 1652 wrote to memory of 1816 1652 Bagpopmj.exe 38 PID 1652 wrote to memory of 1816 1652 Bagpopmj.exe 38 PID 1652 wrote to memory of 1816 1652 Bagpopmj.exe 38 PID 1652 wrote to memory of 1816 1652 Bagpopmj.exe 38 PID 1816 wrote to memory of 2296 1816 Bbflib32.exe 904 PID 1816 wrote to memory of 2296 1816 Bbflib32.exe 904 PID 1816 wrote to memory of 2296 1816 Bbflib32.exe 904 PID 1816 wrote to memory of 2296 1816 Bbflib32.exe 904 PID 2296 wrote to memory of 1736 2296 Bloqah32.exe 40 PID 2296 wrote to memory of 1736 2296 Bloqah32.exe 40 PID 2296 wrote to memory of 1736 2296 Bloqah32.exe 40 PID 2296 wrote to memory of 1736 2296 Bloqah32.exe 40 PID 1736 wrote to memory of 2844 1736 Bdjefj32.exe 41 PID 1736 wrote to memory of 2844 1736 Bdjefj32.exe 41 PID 1736 wrote to memory of 2844 1736 Bdjefj32.exe 41 PID 1736 wrote to memory of 2844 1736 Bdjefj32.exe 41 PID 2844 wrote to memory of 1096 2844 Bcaomf32.exe 42 PID 2844 wrote to memory of 1096 2844 Bcaomf32.exe 42 PID 2844 wrote to memory of 1096 2844 Bcaomf32.exe 42 PID 2844 wrote to memory of 1096 2844 Bcaomf32.exe 42 PID 1096 wrote to memory of 1664 1096 Cjbmjplb.exe 43 PID 1096 wrote to memory of 1664 1096 Cjbmjplb.exe 43 PID 1096 wrote to memory of 1664 1096 Cjbmjplb.exe 43 PID 1096 wrote to memory of 1664 1096 Cjbmjplb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5411a72cf2dba2b74598f0276ca3a4bcae4af93efdef7f89d945f5553be06a80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe33⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe36⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe37⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe39⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe40⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe41⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe42⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe43⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe44⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe45⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe46⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe47⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe48⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe49⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe50⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe51⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe52⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe53⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe54⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe55⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe56⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe57⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe58⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe59⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe60⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe61⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe62⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe63⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe64⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe65⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe66⤵PID:1632
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe67⤵PID:1840
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe68⤵PID:2956
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe69⤵PID:356
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe70⤵PID:2932
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe71⤵PID:2372
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe72⤵PID:2948
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe73⤵PID:2008
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1272 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe76⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe77⤵PID:2764
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe78⤵PID:1488
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe79⤵PID:808
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:608 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe81⤵PID:1236
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe83⤵PID:1660
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe84⤵PID:3068
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe85⤵PID:2104
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe86⤵PID:2332
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe87⤵PID:2672
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe88⤵PID:2012
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe89⤵PID:1432
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe90⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe91⤵PID:1636
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe92⤵PID:1788
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe93⤵PID:2040
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe94⤵PID:1348
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe95⤵PID:2540
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe96⤵PID:2480
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe97⤵PID:2700
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe98⤵PID:1940
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe99⤵PID:1444
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe100⤵PID:2972
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe101⤵PID:2484
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe102⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe103⤵PID:2324
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe105⤵PID:1984
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe106⤵PID:1552
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe107⤵PID:2080
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe108⤵PID:2248
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe109⤵PID:1128
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe110⤵PID:1928
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe111⤵PID:2216
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe112⤵PID:2784
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe113⤵PID:2032
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe114⤵PID:2276
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe115⤵PID:2056
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe116⤵PID:2028
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe117⤵PID:2288
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe118⤵PID:1124
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe119⤵PID:1924
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe120⤵PID:2888
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe121⤵PID:2064
-
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe122⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-