Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 02:06
Behavioral task
behavioral1
Sample
473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe
-
Size
305KB
-
MD5
473e4efcd41b7429045f131aaa657bd0
-
SHA1
004b9ddfbb4ec9ebba0fc7fbf4e98742ee258e38
-
SHA256
da9c07e7dd9fdbbcd298d5388a065c8ad5d6d91c3b35547532857764b43d34ee
-
SHA512
dcb9f5f0e3f9de84a89c2d8e62295b08a8ea129251437116294fce11033e3ba6521aa8e5459e5089c6fa8992a30db99ea66ee6f7cb0d83c21c8c662bec76f32d
-
SSDEEP
6144:xc9YMVO/PHFyNNxunXe8yhrtMsQBvli+RQFdq:xc9Y5KvAO8qRMsrOQF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbenqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfpobpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkkdan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcclf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoapbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifhiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbkjjblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imoneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbaqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olapkmic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Capchmmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejegjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhqbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfhig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhnnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpladg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bidemmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dephckaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoapbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbldaffp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgjblfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakqfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqkhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkffog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffgqqaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noopjmnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijkljp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqknig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acocaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imgkql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjffbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peljol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bganhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piockppb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfboafl.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000023288-8.dat family_berbew behavioral2/files/0x00070000000233f8-14.dat family_berbew behavioral2/files/0x00070000000233fa-22.dat family_berbew behavioral2/files/0x00070000000233fc-30.dat family_berbew behavioral2/files/0x00070000000233ff-38.dat family_berbew behavioral2/files/0x0007000000023401-46.dat family_berbew behavioral2/files/0x0007000000023403-54.dat family_berbew behavioral2/files/0x0007000000023405-62.dat family_berbew behavioral2/files/0x0007000000023407-70.dat family_berbew behavioral2/files/0x0007000000023409-78.dat family_berbew behavioral2/files/0x000700000002340b-86.dat family_berbew behavioral2/files/0x000700000002340d-94.dat family_berbew behavioral2/files/0x000700000002340f-102.dat family_berbew behavioral2/files/0x0007000000023411-110.dat family_berbew behavioral2/files/0x0007000000023413-118.dat family_berbew behavioral2/files/0x0007000000023415-126.dat family_berbew behavioral2/files/0x0007000000023417-134.dat family_berbew behavioral2/files/0x0007000000023419-142.dat family_berbew behavioral2/files/0x000700000002341b-151.dat family_berbew behavioral2/files/0x000700000002341d-158.dat family_berbew behavioral2/files/0x00080000000233f5-166.dat family_berbew behavioral2/files/0x0007000000023421-174.dat family_berbew behavioral2/files/0x0007000000023423-182.dat family_berbew behavioral2/files/0x0007000000023425-190.dat family_berbew behavioral2/files/0x0007000000023427-199.dat family_berbew behavioral2/files/0x0007000000023429-207.dat family_berbew behavioral2/files/0x000700000002342b-215.dat family_berbew behavioral2/files/0x000700000002342d-222.dat family_berbew behavioral2/files/0x000700000002342f-230.dat family_berbew behavioral2/files/0x0007000000023431-238.dat family_berbew behavioral2/files/0x0007000000023433-247.dat family_berbew behavioral2/files/0x0007000000023435-254.dat family_berbew behavioral2/files/0x000700000002343f-281.dat family_berbew behavioral2/files/0x000700000002345b-371.dat family_berbew behavioral2/files/0x000700000002346a-419.dat family_berbew behavioral2/files/0x0007000000023470-436.dat family_berbew behavioral2/files/0x000700000002348a-504.dat family_berbew behavioral2/files/0x0007000000023494-534.dat family_berbew behavioral2/files/0x000700000002349a-555.dat family_berbew behavioral2/files/0x00070000000234a6-596.dat family_berbew behavioral2/files/0x00070000000234b2-638.dat family_berbew behavioral2/files/0x00070000000234c0-687.dat family_berbew behavioral2/files/0x00070000000234e1-794.dat family_berbew behavioral2/files/0x00070000000234f4-858.dat family_berbew behavioral2/files/0x00070000000234fa-877.dat family_berbew behavioral2/files/0x000700000002350a-931.dat family_berbew behavioral2/files/0x000b000000023356-1085.dat family_berbew behavioral2/files/0x0007000000023530-1112.dat family_berbew behavioral2/files/0x0007000000023541-1163.dat family_berbew behavioral2/files/0x000700000002354b-1198.dat family_berbew behavioral2/files/0x0007000000023551-1219.dat family_berbew behavioral2/files/0x0007000000023566-1280.dat family_berbew behavioral2/files/0x0008000000023559-1310.dat family_berbew behavioral2/files/0x0007000000023577-1340.dat family_berbew behavioral2/files/0x00070000000235c1-1595.dat family_berbew behavioral2/files/0x00070000000235c5-1609.dat family_berbew behavioral2/files/0x00070000000235d1-1648.dat family_berbew behavioral2/files/0x00070000000235e1-1699.dat family_berbew behavioral2/files/0x00070000000235ef-1746.dat family_berbew behavioral2/files/0x00070000000235f3-1760.dat family_berbew behavioral2/files/0x00070000000235fb-1787.dat family_berbew behavioral2/files/0x00070000000235ff-1799.dat family_berbew behavioral2/files/0x0007000000023607-1826.dat family_berbew behavioral2/files/0x0007000000023617-1881.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3604 Noopjmnl.exe 2892 Nnbpfj32.exe 4076 Nqqlbe32.exe 3440 Obphlhkm.exe 4228 Oijqibbj.exe 4584 Oodiem32.exe 1788 Oilmnbpg.exe 4704 Okkjjnok.exe 4508 Obdbgh32.exe 4072 Oiojdb32.exe 3952 Okmfpm32.exe 4536 Oeekicdi.exe 4644 Ogdgencl.exe 5104 Obikbgbb.exe 1904 Olapkmic.exe 3696 Pejddb32.exe 1796 Phhqpn32.exe 3240 Pnbimhfd.exe 4620 Pelaib32.exe 492 Phkmem32.exe 1188 Pbpacfmj.exe 4808 Pijjpp32.exe 836 Ppdbljkd.exe 3908 Paendb32.exe 4948 Peajdajk.exe 2172 Plkbak32.exe 1480 Piockppb.exe 4572 Qpikgj32.exe 4660 Qnlkcfni.exe 1428 Qhdpll32.exe 4332 Qpkhmi32.exe 4424 Qbjdiedp.exe 4000 Qehqepcc.exe 3196 Qhfmalbg.exe 1068 Apndbici.exe 4960 Ablaodbm.exe 4908 Aaoaja32.exe 1432 Ahiigkqd.exe 980 Aldegj32.exe 2432 Abnnddpj.exe 368 Aaanpa32.exe 4336 Ahkflk32.exe 1944 Algbmjgk.exe 4060 Abqjjd32.exe 1900 Ahncbk32.exe 4204 Apekch32.exe 2228 Abcgoc32.exe 744 Aeacko32.exe 3116 Ahppgjjl.exe 1688 Alkkhi32.exe 4128 Abedecjb.exe 3168 Aedpaoif.exe 3940 Blnhni32.exe 4924 Bpidngil.exe 2320 Bakqfp32.exe 764 Bhdibj32.exe 2724 Bpladg32.exe 1176 Bbjmpb32.exe 1732 Bidemmnj.exe 4360 Boanecla.exe 3624 Bifbbllg.exe 2176 Blennh32.exe 5080 Bpqjofcd.exe 1436 Bemcgmak.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lommhphi.dll Bfabnjjp.exe File created C:\Windows\SysWOW64\Bpladg32.exe Bhdibj32.exe File opened for modification C:\Windows\SysWOW64\Kbaipkbi.exe Kpbmco32.exe File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe Jdemhe32.exe File opened for modification C:\Windows\SysWOW64\Mpkbebbf.exe Mnlfigcc.exe File created C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File created C:\Windows\SysWOW64\Kpjcdn32.exe Kipkhdeq.exe File created C:\Windows\SysWOW64\Hippdo32.exe Hfachc32.exe File opened for modification C:\Windows\SysWOW64\Imgkql32.exe Ijhodq32.exe File opened for modification C:\Windows\SysWOW64\Ecmeig32.exe Elbmlmml.exe File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe Qdbiedpa.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Dpemacql.exe Dhnepfpj.exe File created C:\Windows\SysWOW64\Cbefaj32.exe Clkndpag.exe File created C:\Windows\SysWOW64\Cchiaqjm.exe Cpjmee32.exe File created C:\Windows\SysWOW64\Aqnhjk32.dll Iakaql32.exe File created C:\Windows\SysWOW64\Kpiecl32.dll 473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Fopfdhej.dll Ccfmla32.exe File opened for modification C:\Windows\SysWOW64\Qnlkcfni.exe Qpikgj32.exe File opened for modification C:\Windows\SysWOW64\Hcmgfbhd.exe Hfifmnij.exe File created C:\Windows\SysWOW64\Nljofl32.exe Nilcjp32.exe File opened for modification C:\Windows\SysWOW64\Mnocof32.exe Mciobn32.exe File created C:\Windows\SysWOW64\Occkojkm.exe Oqdoboli.exe File opened for modification C:\Windows\SysWOW64\Jfkoeppq.exe Jbocea32.exe File opened for modification C:\Windows\SysWOW64\Acmflf32.exe Aanjpk32.exe File opened for modification C:\Windows\SysWOW64\Fafkecel.exe Fkmchi32.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pgllfp32.exe File created C:\Windows\SysWOW64\Dadofijl.dll Gqfooodg.exe File created C:\Windows\SysWOW64\Gbajhpfb.dll Gmoliohh.exe File created C:\Windows\SysWOW64\Goohek32.dll Bpidngil.exe File created C:\Windows\SysWOW64\Knkffk32.dll Fchddejl.exe File created C:\Windows\SysWOW64\Ipqnahgf.exe Imbaemhc.exe File created C:\Windows\SysWOW64\Ajgblndm.dll Kkkdan32.exe File created C:\Windows\SysWOW64\Liggbi32.exe Lmqgnhmp.exe File created C:\Windows\SysWOW64\Eemnjbaj.exe Eabbjc32.exe File opened for modification C:\Windows\SysWOW64\Ogpmjb32.exe Odapnf32.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dkifae32.exe File created C:\Windows\SysWOW64\Nffiidan.dll Olapkmic.exe File opened for modification C:\Windows\SysWOW64\Hippdo32.exe Hfachc32.exe File created C:\Windows\SysWOW64\Hipnbb32.dll Nqpego32.exe File created C:\Windows\SysWOW64\Aceghl32.dll Kmfmmcbo.exe File created C:\Windows\SysWOW64\Odimnk32.dll Obphlhkm.exe File created C:\Windows\SysWOW64\Gddfpk32.dll Fomonm32.exe File created C:\Windows\SysWOW64\Ekmihm32.dll Ijfboafl.exe File created C:\Windows\SysWOW64\Mgghhlhq.exe Mnocof32.exe File created C:\Windows\SysWOW64\Llgjjnlj.exe Lenamdem.exe File created C:\Windows\SysWOW64\Icpdfeeb.dll Blennh32.exe File created C:\Windows\SysWOW64\Fphbondi.dll Ejegjh32.exe File created C:\Windows\SysWOW64\Ciglpe32.dll Hfifmnij.exe File created C:\Windows\SysWOW64\Ibmndm32.dll Bbjmpb32.exe File created C:\Windows\SysWOW64\Bpcbnd32.dll Kdffocib.exe File created C:\Windows\SysWOW64\Lifenaok.dll Mpkbebbf.exe File created C:\Windows\SysWOW64\Qbimoo32.exe Qgciaf32.exe File opened for modification C:\Windows\SysWOW64\Iemppiab.exe Ibnccmbo.exe File created C:\Windows\SysWOW64\Imllie32.dll Kdcbom32.exe File created C:\Windows\SysWOW64\Ceibclgn.exe Cpljkdig.exe File created C:\Windows\SysWOW64\Ehifigof.dll Jpojcf32.exe File created C:\Windows\SysWOW64\Aadifclh.exe Aminee32.exe File opened for modification C:\Windows\SysWOW64\Jdemhe32.exe Jpjqhgol.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lebkhc32.exe File created C:\Windows\SysWOW64\Hjqaij32.dll Dddojq32.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Acnlgp32.exe File created C:\Windows\SysWOW64\Mcgdgamg.dll Cefoce32.exe File created C:\Windows\SysWOW64\Ippggbck.exe Imakkfdg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14828 14752 WerFault.exe 753 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lllcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdibmd32.dll" Blgkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fodeolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgia32.dll" Agffge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clkndpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhciec32.dll" Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll" Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boanecla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll" Pdifoehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpljkdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogogoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll" Imihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll" Gfcgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll" Ndcdmikd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll" Giacca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll" Mpablkhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlbgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Heapdjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmfmmcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhqaefng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddbbeade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhgjblfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll" Bnmcjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll" Kaqcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfniiokn.dll" Pgmcqggf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noggbepn.dll" Nnbpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjclbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdcbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll" Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndfqbhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpelbolg.dll" Aeacko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Giofnacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkidenlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" Dejacond.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4316 wrote to memory of 3604 4316 473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe 82 PID 4316 wrote to memory of 3604 4316 473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe 82 PID 4316 wrote to memory of 3604 4316 473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe 82 PID 3604 wrote to memory of 2892 3604 Noopjmnl.exe 83 PID 3604 wrote to memory of 2892 3604 Noopjmnl.exe 83 PID 3604 wrote to memory of 2892 3604 Noopjmnl.exe 83 PID 2892 wrote to memory of 4076 2892 Nnbpfj32.exe 84 PID 2892 wrote to memory of 4076 2892 Nnbpfj32.exe 84 PID 2892 wrote to memory of 4076 2892 Nnbpfj32.exe 84 PID 4076 wrote to memory of 3440 4076 Nqqlbe32.exe 85 PID 4076 wrote to memory of 3440 4076 Nqqlbe32.exe 85 PID 4076 wrote to memory of 3440 4076 Nqqlbe32.exe 85 PID 3440 wrote to memory of 4228 3440 Obphlhkm.exe 86 PID 3440 wrote to memory of 4228 3440 Obphlhkm.exe 86 PID 3440 wrote to memory of 4228 3440 Obphlhkm.exe 86 PID 4228 wrote to memory of 4584 4228 Oijqibbj.exe 87 PID 4228 wrote to memory of 4584 4228 Oijqibbj.exe 87 PID 4228 wrote to memory of 4584 4228 Oijqibbj.exe 87 PID 4584 wrote to memory of 1788 4584 Oodiem32.exe 88 PID 4584 wrote to memory of 1788 4584 Oodiem32.exe 88 PID 4584 wrote to memory of 1788 4584 Oodiem32.exe 88 PID 1788 wrote to memory of 4704 1788 Oilmnbpg.exe 89 PID 1788 wrote to memory of 4704 1788 Oilmnbpg.exe 89 PID 1788 wrote to memory of 4704 1788 Oilmnbpg.exe 89 PID 4704 wrote to memory of 4508 4704 Okkjjnok.exe 90 PID 4704 wrote to memory of 4508 4704 Okkjjnok.exe 90 PID 4704 wrote to memory of 4508 4704 Okkjjnok.exe 90 PID 4508 wrote to memory of 4072 4508 Obdbgh32.exe 91 PID 4508 wrote to memory of 4072 4508 Obdbgh32.exe 91 PID 4508 wrote to memory of 4072 4508 Obdbgh32.exe 91 PID 4072 wrote to memory of 3952 4072 Oiojdb32.exe 92 PID 4072 wrote to memory of 3952 4072 Oiojdb32.exe 92 PID 4072 wrote to memory of 3952 4072 Oiojdb32.exe 92 PID 3952 wrote to memory of 4536 3952 Okmfpm32.exe 93 PID 3952 wrote to memory of 4536 3952 Okmfpm32.exe 93 PID 3952 wrote to memory of 4536 3952 Okmfpm32.exe 93 PID 4536 wrote to memory of 4644 4536 Oeekicdi.exe 95 PID 4536 wrote to memory of 4644 4536 Oeekicdi.exe 95 PID 4536 wrote to memory of 4644 4536 Oeekicdi.exe 95 PID 4644 wrote to memory of 5104 4644 Ogdgencl.exe 96 PID 4644 wrote to memory of 5104 4644 Ogdgencl.exe 96 PID 4644 wrote to memory of 5104 4644 Ogdgencl.exe 96 PID 5104 wrote to memory of 1904 5104 Obikbgbb.exe 97 PID 5104 wrote to memory of 1904 5104 Obikbgbb.exe 97 PID 5104 wrote to memory of 1904 5104 Obikbgbb.exe 97 PID 1904 wrote to memory of 3696 1904 Olapkmic.exe 99 PID 1904 wrote to memory of 3696 1904 Olapkmic.exe 99 PID 1904 wrote to memory of 3696 1904 Olapkmic.exe 99 PID 3696 wrote to memory of 1796 3696 Pejddb32.exe 100 PID 3696 wrote to memory of 1796 3696 Pejddb32.exe 100 PID 3696 wrote to memory of 1796 3696 Pejddb32.exe 100 PID 1796 wrote to memory of 3240 1796 Phhqpn32.exe 101 PID 1796 wrote to memory of 3240 1796 Phhqpn32.exe 101 PID 1796 wrote to memory of 3240 1796 Phhqpn32.exe 101 PID 3240 wrote to memory of 4620 3240 Pnbimhfd.exe 103 PID 3240 wrote to memory of 4620 3240 Pnbimhfd.exe 103 PID 3240 wrote to memory of 4620 3240 Pnbimhfd.exe 103 PID 4620 wrote to memory of 492 4620 Pelaib32.exe 104 PID 4620 wrote to memory of 492 4620 Pelaib32.exe 104 PID 4620 wrote to memory of 492 4620 Pelaib32.exe 104 PID 492 wrote to memory of 1188 492 Phkmem32.exe 105 PID 492 wrote to memory of 1188 492 Phkmem32.exe 105 PID 492 wrote to memory of 1188 492 Phkmem32.exe 105 PID 1188 wrote to memory of 4808 1188 Pbpacfmj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\473e4efcd41b7429045f131aaa657bd0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Noopjmnl.exeC:\Windows\system32\Noopjmnl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Nnbpfj32.exeC:\Windows\system32\Nnbpfj32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Nqqlbe32.exeC:\Windows\system32\Nqqlbe32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Obphlhkm.exeC:\Windows\system32\Obphlhkm.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Oijqibbj.exeC:\Windows\system32\Oijqibbj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Oodiem32.exeC:\Windows\system32\Oodiem32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Oilmnbpg.exeC:\Windows\system32\Oilmnbpg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Okkjjnok.exeC:\Windows\system32\Okkjjnok.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Obdbgh32.exeC:\Windows\system32\Obdbgh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Oiojdb32.exeC:\Windows\system32\Oiojdb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Okmfpm32.exeC:\Windows\system32\Okmfpm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Oeekicdi.exeC:\Windows\system32\Oeekicdi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ogdgencl.exeC:\Windows\system32\Ogdgencl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Olapkmic.exeC:\Windows\system32\Olapkmic.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Pejddb32.exeC:\Windows\system32\Pejddb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Phhqpn32.exeC:\Windows\system32\Phhqpn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Pnbimhfd.exeC:\Windows\system32\Pnbimhfd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Pelaib32.exeC:\Windows\system32\Pelaib32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Phkmem32.exeC:\Windows\system32\Phkmem32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Pijjpp32.exeC:\Windows\system32\Pijjpp32.exe23⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Ppdbljkd.exeC:\Windows\system32\Ppdbljkd.exe24⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Paendb32.exeC:\Windows\system32\Paendb32.exe25⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe26⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Plkbak32.exeC:\Windows\system32\Plkbak32.exe27⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4572 -
C:\Windows\SysWOW64\Qnlkcfni.exeC:\Windows\system32\Qnlkcfni.exe30⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Qhdpll32.exeC:\Windows\system32\Qhdpll32.exe31⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe33⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Qehqepcc.exeC:\Windows\system32\Qehqepcc.exe34⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Qhfmalbg.exeC:\Windows\system32\Qhfmalbg.exe35⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe36⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe37⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Aaoaja32.exeC:\Windows\system32\Aaoaja32.exe38⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe39⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe40⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Abnnddpj.exeC:\Windows\system32\Abnnddpj.exe41⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe42⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe43⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Algbmjgk.exeC:\Windows\system32\Algbmjgk.exe44⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Abqjjd32.exeC:\Windows\system32\Abqjjd32.exe45⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Ahncbk32.exeC:\Windows\system32\Ahncbk32.exe46⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe47⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe48⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Aeacko32.exeC:\Windows\system32\Aeacko32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Ahppgjjl.exeC:\Windows\system32\Ahppgjjl.exe50⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe51⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe52⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Aedpaoif.exeC:\Windows\system32\Aedpaoif.exe53⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe54⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4924 -
C:\Windows\SysWOW64\Bakqfp32.exeC:\Windows\system32\Bakqfp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe62⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Bpqjofcd.exeC:\Windows\system32\Bpqjofcd.exe64⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe65⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe66⤵
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe67⤵PID:4596
-
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe68⤵PID:956
-
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe69⤵PID:4252
-
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe70⤵PID:4968
-
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe71⤵PID:4244
-
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe72⤵PID:4340
-
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe73⤵PID:1648
-
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe74⤵PID:1924
-
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe75⤵
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe76⤵PID:3496
-
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe77⤵
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe78⤵PID:2592
-
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe79⤵PID:4544
-
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe80⤵PID:4280
-
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe82⤵PID:2304
-
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe83⤵PID:3484
-
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe84⤵PID:3836
-
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4276 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe86⤵PID:1988
-
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe87⤵PID:640
-
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe88⤵PID:4016
-
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe89⤵PID:4836
-
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe90⤵PID:5136
-
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe91⤵PID:5176
-
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe92⤵PID:5224
-
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe93⤵PID:5268
-
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe95⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe96⤵PID:5400
-
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe97⤵PID:5448
-
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe98⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe99⤵PID:5536
-
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe100⤵PID:5580
-
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe101⤵PID:5624
-
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe102⤵PID:5668
-
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe103⤵PID:5712
-
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe104⤵PID:5760
-
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe105⤵PID:5812
-
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe106⤵PID:5856
-
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe107⤵PID:5928
-
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5984 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe109⤵PID:6044
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe111⤵PID:6124
-
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe112⤵PID:5184
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe113⤵PID:5252
-
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe114⤵PID:5376
-
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe115⤵PID:5440
-
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe116⤵PID:5552
-
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe117⤵PID:5608
-
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe118⤵PID:5680
-
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe119⤵PID:5752
-
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe120⤵PID:5840
-
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe121⤵PID:5936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-