Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 15:19
Behavioral task
behavioral1
Sample
135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe
-
Size
109KB
-
MD5
135bbd5de2f6e7df2e97ab8f4bd311f0
-
SHA1
75b02d88d0698031ce21721de9cc65cbc5a9d754
-
SHA256
862b4f648cb5922e3485c3d9e1e3e6484aaedebfe4c3d439e081922d8fea08bd
-
SHA512
5703d006e7ede69b249d4acf3a0e378ebc913a2f9f2c58deda5f9425ceeb36c47918ff8f7760e844ce26f55102e057da406898750ab4e858e6543658a335a38e
-
SSDEEP
3072:XZEMAwD3Tqo44MkusSfKXJ9hLCqwzBu1DjHLMVDqqkSp:X3Tqqu7KJ9pwtu1DjrFqh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbeidl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhemmlhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblngpbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heapdjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgbnlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpjjod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnkdhpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klqcioba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cefoce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbeqmoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffddka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flceckoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfngap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lijdhiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnihcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eekaebcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgqdlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daaicfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbceejpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkaejf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laefdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdilcla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfaedkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cajcbgml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeiioac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekehdgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicinj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpijp32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1852-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023298-6.dat family_berbew behavioral2/files/0x0007000000023425-14.dat family_berbew behavioral2/memory/4068-12-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1976-15-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023427-22.dat family_berbew behavioral2/memory/552-28-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023429-30.dat family_berbew behavioral2/memory/2272-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342c-38.dat family_berbew behavioral2/files/0x000700000002342e-46.dat family_berbew behavioral2/memory/3824-47-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4976-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023430-54.dat family_berbew behavioral2/memory/1272-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023432-62.dat family_berbew behavioral2/memory/632-68-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023434-70.dat family_berbew behavioral2/memory/2620-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023436-78.dat family_berbew behavioral2/memory/1200-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023438-86.dat family_berbew behavioral2/memory/4712-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343a-94.dat family_berbew behavioral2/memory/3928-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343c-102.dat family_berbew behavioral2/memory/2348-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343e-110.dat family_berbew behavioral2/memory/3172-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023440-118.dat family_berbew behavioral2/memory/4684-120-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023442-126.dat family_berbew behavioral2/memory/3316-128-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023444-134.dat family_berbew behavioral2/memory/3912-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023446-142.dat family_berbew behavioral2/memory/4056-144-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023448-150.dat family_berbew behavioral2/memory/2444-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002344a-158.dat family_berbew behavioral2/memory/4292-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002344c-167.dat family_berbew behavioral2/memory/4248-168-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002344e-169.dat family_berbew behavioral2/files/0x000700000002344e-174.dat family_berbew behavioral2/memory/3224-176-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023450-182.dat family_berbew behavioral2/memory/3496-184-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023452-190.dat family_berbew behavioral2/memory/4880-192-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023454-198.dat family_berbew behavioral2/memory/1576-200-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023456-207.dat family_berbew behavioral2/memory/4064-208-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000023422-214.dat family_berbew behavioral2/memory/4384-216-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023459-222.dat family_berbew behavioral2/memory/3600-224-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002345c-230.dat family_berbew behavioral2/memory/2212-236-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002345e-238.dat family_berbew behavioral2/files/0x0007000000023460-247.dat family_berbew behavioral2/memory/3256-245-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023462-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4068 Jdjfcecp.exe 1976 Jbmfoa32.exe 552 Jigollag.exe 2272 Jangmibi.exe 4976 Jbocea32.exe 3824 Jkfkfohj.exe 1272 Kdopod32.exe 632 Kgmlkp32.exe 2620 Kilhgk32.exe 1200 Kacphh32.exe 4712 Kbdmpqcb.exe 3928 Kkkdan32.exe 2348 Kaemnhla.exe 3172 Kdcijcke.exe 4684 Kgbefoji.exe 3316 Kagichjo.exe 3912 Kpjjod32.exe 4056 Kgdbkohf.exe 2444 Kibnhjgj.exe 4292 Kpmfddnf.exe 4248 Kckbqpnj.exe 3224 Kkbkamnl.exe 3496 Lmqgnhmp.exe 4880 Ldkojb32.exe 1576 Lgikfn32.exe 4064 Liggbi32.exe 4384 Lpappc32.exe 3600 Ldmlpbbj.exe 2212 Lkgdml32.exe 3256 Lijdhiaa.exe 664 Laalifad.exe 2744 Lcbiao32.exe 1964 Lkiqbl32.exe 2588 Laciofpa.exe 2836 Ldaeka32.exe 3320 Ljnnch32.exe 2168 Laefdf32.exe 3924 Lphfpbdi.exe 1720 Lgbnmm32.exe 1840 Mnlfigcc.exe 5060 Mpkbebbf.exe 4520 Mkpgck32.exe 3856 Majopeii.exe 2608 Mpmokb32.exe 908 Mcklgm32.exe 4548 Mkbchk32.exe 1920 Mnapdf32.exe 3436 Mdkhapfj.exe 1848 Mgidml32.exe 4336 Mkepnjng.exe 3688 Maohkd32.exe 3692 Mpaifalo.exe 2044 Mcpebmkb.exe 4208 Mkgmcjld.exe 1508 Mnfipekh.exe 5068 Mpdelajl.exe 1748 Mcbahlip.exe 4240 Nkjjij32.exe 3084 Nnhfee32.exe 536 Ndbnboqb.exe 4820 Ngpjnkpf.exe 3628 Njogjfoj.exe 4876 Nafokcol.exe 3000 Nqiogp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hleecc32.dll Mdehlk32.exe File opened for modification C:\Windows\SysWOW64\Miemjaci.exe Mgfqmfde.exe File opened for modification C:\Windows\SysWOW64\Pfjcgn32.exe Pggbkagp.exe File created C:\Windows\SysWOW64\Pmfhig32.exe Pncgmkmj.exe File created C:\Windows\SysWOW64\Ojopad32.exe Ogaceh32.exe File created C:\Windows\SysWOW64\Lcfcfldc.dll Ajdbcano.exe File created C:\Windows\SysWOW64\Amhpcomb.dll Lmdina32.exe File created C:\Windows\SysWOW64\Dldpkoil.exe Ddmhja32.exe File created C:\Windows\SysWOW64\Collmj32.dll Elgfgl32.exe File opened for modification C:\Windows\SysWOW64\Gcojed32.exe Gododflk.exe File opened for modification C:\Windows\SysWOW64\Gfgjgo32.exe Gblngpbd.exe File created C:\Windows\SysWOW64\Hodgkc32.exe Hijooifk.exe File created C:\Windows\SysWOW64\Ojmmkpmf.dll Kacphh32.exe File created C:\Windows\SysWOW64\Gncoccha.dll Kkkdan32.exe File created C:\Windows\SysWOW64\Dboiieof.dll Odgqdlnj.exe File created C:\Windows\SysWOW64\Iihqganf.dll Lenamdem.exe File created C:\Windows\SysWOW64\Jholncde.dll Mgfqmfde.exe File opened for modification C:\Windows\SysWOW64\Pdkcde32.exe Pqpgdfnp.exe File created C:\Windows\SysWOW64\Jfeopj32.exe Jbjcolha.exe File opened for modification C:\Windows\SysWOW64\Kpbmco32.exe Kmdqgd32.exe File created C:\Windows\SysWOW64\Kfankifm.exe Kbfbkj32.exe File opened for modification C:\Windows\SysWOW64\Kbfbkj32.exe Kpgfooop.exe File opened for modification C:\Windows\SysWOW64\Ldjhpl32.exe Lmppcbjd.exe File created C:\Windows\SysWOW64\Ckijjqka.dll Mgagbf32.exe File created C:\Windows\SysWOW64\Mcmabg32.exe Mdjagjco.exe File created C:\Windows\SysWOW64\Qgppolie.dll Ocgmpccl.exe File created C:\Windows\SysWOW64\Fpeohm32.dll Hfqlnm32.exe File opened for modification C:\Windows\SysWOW64\Jfoiokfb.exe Ibcmom32.exe File created C:\Windows\SysWOW64\Jpppnp32.exe Jlednamo.exe File created C:\Windows\SysWOW64\Amddjegd.exe Agglboim.exe File created C:\Windows\SysWOW64\Ddjejl32.exe Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Kfckahdj.exe Kpjcdn32.exe File created C:\Windows\SysWOW64\Klqcioba.exe Kmncnb32.exe File opened for modification C:\Windows\SysWOW64\Lmppcbjd.exe Leihbeib.exe File created C:\Windows\SysWOW64\Bfajji32.dll Lfkaag32.exe File created C:\Windows\SysWOW64\Nniadn32.dll Mbfkbhpa.exe File created C:\Windows\SysWOW64\Eqbmje32.dll Lpappc32.exe File created C:\Windows\SysWOW64\Bejogg32.exe Bblckl32.exe File created C:\Windows\SysWOW64\Hckjacjg.exe Hopnqdan.exe File created C:\Windows\SysWOW64\Ocnjidkf.exe Nnqbanmo.exe File opened for modification C:\Windows\SysWOW64\Abemjmgg.exe Alkdnboj.exe File opened for modification C:\Windows\SysWOW64\Bnlnon32.exe Bhaebcen.exe File created C:\Windows\SysWOW64\Qadpibkg.dll Ddgkpp32.exe File opened for modification C:\Windows\SysWOW64\Fojlngce.exe Fkopnh32.exe File created C:\Windows\SysWOW64\Eiecmmbf.dll Ldjhpl32.exe File created C:\Windows\SysWOW64\Lgikfn32.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Lpappc32.exe Liggbi32.exe File opened for modification C:\Windows\SysWOW64\Pcagphom.exe Pengdk32.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pmdkch32.exe File opened for modification C:\Windows\SysWOW64\Mcmabg32.exe Mdjagjco.exe File created C:\Windows\SysWOW64\Olcjhi32.dll Mgkjhe32.exe File created C:\Windows\SysWOW64\Pfhfan32.exe Pgefeajb.exe File created C:\Windows\SysWOW64\Paihpaak.dll Ffgqqaip.exe File created C:\Windows\SysWOW64\Laffdj32.dll Hkkhqd32.exe File opened for modification C:\Windows\SysWOW64\Jfeopj32.exe Jbjcolha.exe File created C:\Windows\SysWOW64\Ldoaklml.exe Lpcfkm32.exe File created C:\Windows\SysWOW64\Mckemg32.exe Mdhdajea.exe File created C:\Windows\SysWOW64\Ckegia32.dll Laciofpa.exe File created C:\Windows\SysWOW64\Pbbgnpgl.exe Pnfkma32.exe File opened for modification C:\Windows\SysWOW64\Aanjpk32.exe Abkjdnoa.exe File created C:\Windows\SysWOW64\Maickled.dll Caebma32.exe File created C:\Windows\SysWOW64\Gfniiokn.dll Pcagphom.exe File created C:\Windows\SysWOW64\Heocnk32.exe Hflcbngh.exe File created C:\Windows\SysWOW64\Ipnjab32.exe Imoneg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6040 11384 WerFault.exe 598 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglkbhg.dll" Fhcpgmjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklaknjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnigkegh.dll" Cknnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Choehhlk.dll" Hioiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgagbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll" Nebdoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelaijjp.dll" Ncnadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imoneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gokdeeec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adapgfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll" Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlbaq32.dll" Gcojed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogaceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cagecd32.dll" Pkfblfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll" Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll" Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll" Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiigifj.dll" Dedkdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll" Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibjjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampkof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpijopg.dll" Cahfmgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll" Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll" Pmidog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnihq32.dll" Anbkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chmeobkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dccbbhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll" Jpnchp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" Cajlhqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icfpbq32.dll" Fkciihgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpoefk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcagphom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlgmpogj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heocnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbaemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgimcebb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll" Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onfbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abemjmgg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 4068 1852 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 83 PID 1852 wrote to memory of 4068 1852 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 83 PID 1852 wrote to memory of 4068 1852 135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe 83 PID 4068 wrote to memory of 1976 4068 Jdjfcecp.exe 84 PID 4068 wrote to memory of 1976 4068 Jdjfcecp.exe 84 PID 4068 wrote to memory of 1976 4068 Jdjfcecp.exe 84 PID 1976 wrote to memory of 552 1976 Jbmfoa32.exe 85 PID 1976 wrote to memory of 552 1976 Jbmfoa32.exe 85 PID 1976 wrote to memory of 552 1976 Jbmfoa32.exe 85 PID 552 wrote to memory of 2272 552 Jigollag.exe 86 PID 552 wrote to memory of 2272 552 Jigollag.exe 86 PID 552 wrote to memory of 2272 552 Jigollag.exe 86 PID 2272 wrote to memory of 4976 2272 Jangmibi.exe 87 PID 2272 wrote to memory of 4976 2272 Jangmibi.exe 87 PID 2272 wrote to memory of 4976 2272 Jangmibi.exe 87 PID 4976 wrote to memory of 3824 4976 Jbocea32.exe 88 PID 4976 wrote to memory of 3824 4976 Jbocea32.exe 88 PID 4976 wrote to memory of 3824 4976 Jbocea32.exe 88 PID 3824 wrote to memory of 1272 3824 Jkfkfohj.exe 90 PID 3824 wrote to memory of 1272 3824 Jkfkfohj.exe 90 PID 3824 wrote to memory of 1272 3824 Jkfkfohj.exe 90 PID 1272 wrote to memory of 632 1272 Kdopod32.exe 91 PID 1272 wrote to memory of 632 1272 Kdopod32.exe 91 PID 1272 wrote to memory of 632 1272 Kdopod32.exe 91 PID 632 wrote to memory of 2620 632 Kgmlkp32.exe 93 PID 632 wrote to memory of 2620 632 Kgmlkp32.exe 93 PID 632 wrote to memory of 2620 632 Kgmlkp32.exe 93 PID 2620 wrote to memory of 1200 2620 Kilhgk32.exe 94 PID 2620 wrote to memory of 1200 2620 Kilhgk32.exe 94 PID 2620 wrote to memory of 1200 2620 Kilhgk32.exe 94 PID 1200 wrote to memory of 4712 1200 Kacphh32.exe 95 PID 1200 wrote to memory of 4712 1200 Kacphh32.exe 95 PID 1200 wrote to memory of 4712 1200 Kacphh32.exe 95 PID 4712 wrote to memory of 3928 4712 Kbdmpqcb.exe 96 PID 4712 wrote to memory of 3928 4712 Kbdmpqcb.exe 96 PID 4712 wrote to memory of 3928 4712 Kbdmpqcb.exe 96 PID 3928 wrote to memory of 2348 3928 Kkkdan32.exe 97 PID 3928 wrote to memory of 2348 3928 Kkkdan32.exe 97 PID 3928 wrote to memory of 2348 3928 Kkkdan32.exe 97 PID 2348 wrote to memory of 3172 2348 Kaemnhla.exe 98 PID 2348 wrote to memory of 3172 2348 Kaemnhla.exe 98 PID 2348 wrote to memory of 3172 2348 Kaemnhla.exe 98 PID 3172 wrote to memory of 4684 3172 Kdcijcke.exe 99 PID 3172 wrote to memory of 4684 3172 Kdcijcke.exe 99 PID 3172 wrote to memory of 4684 3172 Kdcijcke.exe 99 PID 4684 wrote to memory of 3316 4684 Kgbefoji.exe 100 PID 4684 wrote to memory of 3316 4684 Kgbefoji.exe 100 PID 4684 wrote to memory of 3316 4684 Kgbefoji.exe 100 PID 3316 wrote to memory of 3912 3316 Kagichjo.exe 101 PID 3316 wrote to memory of 3912 3316 Kagichjo.exe 101 PID 3316 wrote to memory of 3912 3316 Kagichjo.exe 101 PID 3912 wrote to memory of 4056 3912 Kpjjod32.exe 102 PID 3912 wrote to memory of 4056 3912 Kpjjod32.exe 102 PID 3912 wrote to memory of 4056 3912 Kpjjod32.exe 102 PID 4056 wrote to memory of 2444 4056 Kgdbkohf.exe 103 PID 4056 wrote to memory of 2444 4056 Kgdbkohf.exe 103 PID 4056 wrote to memory of 2444 4056 Kgdbkohf.exe 103 PID 2444 wrote to memory of 4292 2444 Kibnhjgj.exe 104 PID 2444 wrote to memory of 4292 2444 Kibnhjgj.exe 104 PID 2444 wrote to memory of 4292 2444 Kibnhjgj.exe 104 PID 4292 wrote to memory of 4248 4292 Kpmfddnf.exe 105 PID 4292 wrote to memory of 4248 4292 Kpmfddnf.exe 105 PID 4292 wrote to memory of 4248 4292 Kpmfddnf.exe 105 PID 4248 wrote to memory of 3224 4248 Kckbqpnj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\135bbd5de2f6e7df2e97ab8f4bd311f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe24⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4880 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe26⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe30⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe32⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe34⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe39⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe40⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe41⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe42⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe43⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe45⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe46⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe47⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe48⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe49⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe50⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe51⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe52⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe53⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe54⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe55⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe56⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe57⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe58⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe59⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe60⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe61⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe62⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe64⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe65⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe66⤵PID:4024
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe67⤵PID:4348
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe68⤵PID:1980
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe69⤵PID:3456
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe70⤵PID:2336
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe71⤵PID:1052
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe72⤵PID:3808
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe73⤵PID:3168
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe74⤵PID:2668
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe75⤵PID:1428
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe76⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe77⤵PID:4972
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe78⤵PID:1496
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe79⤵PID:1124
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4720 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe81⤵
- Modifies registry class
PID:3644 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe82⤵PID:2192
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe83⤵PID:3324
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe84⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe85⤵PID:4768
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe87⤵PID:5176
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe88⤵PID:5236
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe89⤵PID:5292
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe90⤵PID:5352
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe91⤵PID:5388
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe92⤵PID:5436
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe94⤵PID:5520
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe96⤵PID:5612
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe97⤵PID:5664
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe98⤵PID:5700
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe99⤵PID:5752
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe100⤵PID:5792
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe101⤵PID:5836
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe102⤵PID:5888
-
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe103⤵PID:5928
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe104⤵
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe105⤵PID:6028
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe106⤵PID:6072
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe107⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe109⤵PID:5208
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe111⤵PID:5400
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe113⤵PID:5508
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe114⤵PID:5576
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe115⤵PID:5656
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe117⤵PID:5780
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe118⤵PID:5856
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe119⤵PID:5916
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe120⤵PID:5996
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe121⤵PID:6068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-