Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 20:07
Behavioral task
behavioral1
Sample
0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe
-
Size
640KB
-
MD5
0f050a7be38cf33aaaf2ac1283d945c0
-
SHA1
f2d08da0bdd86d16af07c8535b7d4efebf595f8d
-
SHA256
0f1093f97880e91086014e430586e5e042cc61d3cfdb07cd193cd996cc0e7840
-
SHA512
12a6bf47f920780caed91e1cb4a9c6abd8f7d0adc9abb0cb112f0233c822ba7ab7f3d650941b7e51a3733084fa293ff3ce40f59b55b209333891ce2c84610b30
-
SSDEEP
12288:BdXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:BdXHfNIVIIVy2jU13fS2hEYM9RIPk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badnhbce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilabmedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfegij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekhacbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eobchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebefgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpfqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeckfndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkpganf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdkal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphbeplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001227b-5.dat family_berbew behavioral1/files/0x0008000000015d89-18.dat family_berbew behavioral1/files/0x0007000000015fbb-33.dat family_berbew behavioral1/files/0x0007000000016126-53.dat family_berbew behavioral1/files/0x0008000000016d2d-61.dat family_berbew behavioral1/files/0x0006000000016d3e-74.dat family_berbew behavioral1/files/0x0036000000015d13-88.dat family_berbew behavioral1/files/0x0006000000016d57-101.dat family_berbew behavioral1/files/0x0006000000016d73-115.dat family_berbew behavioral1/files/0x0006000000016d7d-135.dat family_berbew behavioral1/files/0x000600000001708c-143.dat family_berbew behavioral1/files/0x000600000001738e-156.dat family_berbew behavioral1/files/0x00060000000173e2-170.dat family_berbew behavioral1/files/0x0006000000017436-190.dat family_berbew behavioral1/files/0x0006000000017577-198.dat family_berbew behavioral1/files/0x00060000000175fd-212.dat family_berbew behavioral1/files/0x000d000000018689-228.dat family_berbew behavioral1/files/0x000500000001870e-235.dat family_berbew behavioral1/files/0x0005000000018749-244.dat family_berbew behavioral1/files/0x000600000001902f-253.dat family_berbew behavioral1/files/0x000500000001925a-265.dat family_berbew behavioral1/memory/1880-267-0x00000000002F0000-0x000000000032E000-memory.dmp family_berbew behavioral1/memory/1880-270-0x00000000002F0000-0x000000000032E000-memory.dmp family_berbew behavioral1/files/0x000500000001927b-274.dat family_berbew behavioral1/files/0x000500000001937a-286.dat family_berbew behavioral1/files/0x00050000000193b6-298.dat family_berbew behavioral1/files/0x00050000000193d4-308.dat family_berbew behavioral1/memory/2152-312-0x0000000000440000-0x000000000047E000-memory.dmp family_berbew behavioral1/memory/2152-311-0x0000000000440000-0x000000000047E000-memory.dmp family_berbew behavioral1/files/0x00050000000193fd-319.dat family_berbew behavioral1/memory/2468-330-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/files/0x000500000001943a-331.dat family_berbew behavioral1/memory/3032-344-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/files/0x0005000000019539-341.dat family_berbew behavioral1/files/0x0005000000019618-354.dat family_berbew behavioral1/memory/3028-356-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/3028-355-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/2648-363-0x0000000001F50000-0x0000000001F8E000-memory.dmp family_berbew behavioral1/files/0x000500000001961d-364.dat family_berbew behavioral1/files/0x0005000000019621-375.dat family_berbew behavioral1/files/0x0005000000019625-384.dat family_berbew behavioral1/memory/2636-388-0x00000000002F0000-0x000000000032E000-memory.dmp family_berbew behavioral1/files/0x0005000000019629-396.dat family_berbew behavioral1/files/0x000500000001962d-406.dat family_berbew behavioral1/memory/2500-409-0x00000000005D0000-0x000000000060E000-memory.dmp family_berbew behavioral1/files/0x0005000000019631-417.dat family_berbew behavioral1/files/0x0005000000019634-429.dat family_berbew behavioral1/files/0x0005000000019677-439.dat family_berbew behavioral1/files/0x00050000000196c2-451.dat family_berbew behavioral1/memory/1968-450-0x0000000000320000-0x000000000035E000-memory.dmp family_berbew behavioral1/files/0x0005000000019800-462.dat family_berbew behavioral1/memory/1812-467-0x0000000000260000-0x000000000029E000-memory.dmp family_berbew behavioral1/files/0x00050000000198eb-470.dat family_berbew behavioral1/files/0x0005000000019c63-483.dat family_berbew behavioral1/files/0x0005000000019c65-493.dat family_berbew behavioral1/files/0x0005000000019dc2-504.dat family_berbew behavioral1/files/0x0005000000019dfa-515.dat family_berbew behavioral1/files/0x000500000001a041-528.dat family_berbew behavioral1/files/0x000500000001a0b4-537.dat family_berbew behavioral1/files/0x000500000001a0e0-549.dat family_berbew behavioral1/files/0x000500000001a411-558.dat family_berbew behavioral1/files/0x000500000001a464-569.dat family_berbew behavioral1/files/0x000500000001a46e-578.dat family_berbew behavioral1/files/0x000500000001a4a9-590.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2416 Apcfahio.exe 2284 Bbdocc32.exe 2916 Bhcdaibd.exe 2816 Balijo32.exe 2640 Bdooajdc.exe 2520 Ccdlbf32.exe 2332 Clomqk32.exe 2772 Ckdjbh32.exe 2312 Chhjkl32.exe 1700 Dngoibmo.exe 376 Dqjepm32.exe 1620 Dcknbh32.exe 836 Eijcpoac.exe 1424 Ebbgid32.exe 2928 Eiaiqn32.exe 540 Flabbihl.exe 576 Fmekoalh.exe 1808 Fdoclk32.exe 1140 Fmhheqje.exe 1880 Fpfdalii.exe 1992 Fmjejphb.exe 2368 Fddmgjpo.exe 916 Globlmmj.exe 2152 Gbijhg32.exe 2260 Gejcjbah.exe 2468 Ghhofmql.exe 3032 Gdopkn32.exe 3028 Gkihhhnm.exe 2648 Ggpimica.exe 2720 Gmjaic32.exe 2636 Gphmeo32.exe 2716 Hahjpbad.exe 2500 Hkpnhgge.exe 2536 Hpmgqnfl.exe 2776 Hlcgeo32.exe 2604 Hgilchkf.exe 1968 Hpapln32.exe 1812 Hjjddchg.exe 2572 Idceea32.exe 1488 Ihoafpmp.exe 1756 Iknnbklc.exe 1432 Ihankokm.exe 2924 Iajcde32.exe 332 Ihdkao32.exe 1468 Iblpjdpk.exe 988 Igihbknb.exe 2372 Ijgdngmf.exe 1540 Idmhkpml.exe 952 Jqdipqbp.exe 3048 Jcbellac.exe 352 Jfqahgpg.exe 1500 Jqfffqpm.exe 2908 Jcdbbloa.exe 2892 Jjojofgn.exe 1928 Jcgogk32.exe 2840 Jmocpado.exe 2880 Jonplmcb.exe 2560 Jfghif32.exe 2992 Jifdebic.exe 2864 Jkdpanhg.exe 1976 Kkgmgmfd.exe 624 Kneicieh.exe 1740 Kbqecg32.exe 1416 Kngfih32.exe -
Loads dropped DLL 64 IoCs
pid Process 2952 0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe 2952 0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe 2416 Apcfahio.exe 2416 Apcfahio.exe 2284 Bbdocc32.exe 2284 Bbdocc32.exe 2916 Bhcdaibd.exe 2916 Bhcdaibd.exe 2816 Balijo32.exe 2816 Balijo32.exe 2640 Bdooajdc.exe 2640 Bdooajdc.exe 2520 Ccdlbf32.exe 2520 Ccdlbf32.exe 2332 Clomqk32.exe 2332 Clomqk32.exe 2772 Ckdjbh32.exe 2772 Ckdjbh32.exe 2312 Chhjkl32.exe 2312 Chhjkl32.exe 1700 Dngoibmo.exe 1700 Dngoibmo.exe 376 Dqjepm32.exe 376 Dqjepm32.exe 1620 Dcknbh32.exe 1620 Dcknbh32.exe 836 Eijcpoac.exe 836 Eijcpoac.exe 1424 Ebbgid32.exe 1424 Ebbgid32.exe 2928 Eiaiqn32.exe 2928 Eiaiqn32.exe 540 Flabbihl.exe 540 Flabbihl.exe 576 Fmekoalh.exe 576 Fmekoalh.exe 1808 Fdoclk32.exe 1808 Fdoclk32.exe 1140 Fmhheqje.exe 1140 Fmhheqje.exe 1880 Fpfdalii.exe 1880 Fpfdalii.exe 1992 Fmjejphb.exe 1992 Fmjejphb.exe 2368 Fddmgjpo.exe 2368 Fddmgjpo.exe 916 Globlmmj.exe 916 Globlmmj.exe 2152 Gbijhg32.exe 2152 Gbijhg32.exe 2260 Gejcjbah.exe 2260 Gejcjbah.exe 2468 Ghhofmql.exe 2468 Ghhofmql.exe 3032 Gdopkn32.exe 3032 Gdopkn32.exe 3028 Gkihhhnm.exe 3028 Gkihhhnm.exe 2648 Ggpimica.exe 2648 Ggpimica.exe 2720 Gmjaic32.exe 2720 Gmjaic32.exe 2636 Gphmeo32.exe 2636 Gphmeo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Plmbkd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olopjddf.exe Process not Found File created C:\Windows\SysWOW64\Lpcafg32.dll Process not Found File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Pihbeaea.dll Process not Found File created C:\Windows\SysWOW64\Lcohahpn.exe Process not Found File created C:\Windows\SysWOW64\Qbbbol32.dll Process not Found File created C:\Windows\SysWOW64\Mblcin32.exe Process not Found File created C:\Windows\SysWOW64\Gonahjjd.dll Naoniipe.exe File created C:\Windows\SysWOW64\Fknjekca.dll Oaffbqaa.exe File created C:\Windows\SysWOW64\Qkibcg32.exe Qfljkp32.exe File opened for modification C:\Windows\SysWOW64\Jqgoiokm.exe Jgojpjem.exe File created C:\Windows\SysWOW64\Nmkncofl.exe Mbeiefff.exe File created C:\Windows\SysWOW64\Gmipko32.exe Process not Found File created C:\Windows\SysWOW64\Gdcmig32.exe Process not Found File created C:\Windows\SysWOW64\Demofaol.exe Djgkii32.exe File created C:\Windows\SysWOW64\Joggci32.exe Process not Found File created C:\Windows\SysWOW64\Leqeed32.exe Process not Found File created C:\Windows\SysWOW64\Dlpcaqhf.dll Gpkpedmh.exe File opened for modification C:\Windows\SysWOW64\Lgpiij32.exe Leammn32.exe File created C:\Windows\SysWOW64\Nepokogo.exe Process not Found File created C:\Windows\SysWOW64\Nfigck32.exe Process not Found File created C:\Windows\SysWOW64\Jpfppg32.dll Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Ionefb32.exe Ihdmihpn.exe File created C:\Windows\SysWOW64\Fhbqnb32.dll Bmphhc32.exe File created C:\Windows\SysWOW64\Kppldhla.exe Process not Found File created C:\Windows\SysWOW64\Bbqkeioh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pehcij32.exe Process not Found File created C:\Windows\SysWOW64\Ilcmjl32.exe Ijdqna32.exe File opened for modification C:\Windows\SysWOW64\Eeielfhk.exe Elqaca32.exe File created C:\Windows\SysWOW64\Amjpgdik.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmqffonj.exe Process not Found File created C:\Windows\SysWOW64\Ancjqghh.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Kbelde32.dll Lfdmggnm.exe File created C:\Windows\SysWOW64\Cmjbhh32.exe Cdanpb32.exe File opened for modification C:\Windows\SysWOW64\Bgqcjlhp.exe Bpjkiogm.exe File created C:\Windows\SysWOW64\Gckemgnc.dll Jhjphfgi.exe File opened for modification C:\Windows\SysWOW64\Peeoidik.exe Process not Found File created C:\Windows\SysWOW64\Fipdqmje.exe Process not Found File created C:\Windows\SysWOW64\Ekdchf32.exe Eegkpo32.exe File created C:\Windows\SysWOW64\Lkggmldl.exe Process not Found File created C:\Windows\SysWOW64\Mkcplien.exe Process not Found File created C:\Windows\SysWOW64\Eacehe32.dll Process not Found File created C:\Windows\SysWOW64\Bbdjgbdg.dll Process not Found File created C:\Windows\SysWOW64\Cnnnnh32.exe Cmmagpef.exe File opened for modification C:\Windows\SysWOW64\Baneak32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gicdnj32.exe Gpkpedmh.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Iafnjg32.exe File created C:\Windows\SysWOW64\Dcming32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Abpcooea.exe File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe Boljgg32.exe File created C:\Windows\SysWOW64\Kqqboncb.exe Jghmfhmb.exe File created C:\Windows\SysWOW64\Podpaa32.dll Process not Found File created C:\Windows\SysWOW64\Echjfecq.dll Dphfbiem.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Libicbma.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Gfkdmglc.dll Moidahcn.exe File created C:\Windows\SysWOW64\Ihdjpd32.dll Qfljkp32.exe File created C:\Windows\SysWOW64\Nplimbka.exe Nfdddm32.exe File created C:\Windows\SysWOW64\Kbclpfop.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hlcgeo32.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Hjqqap32.exe Hfedqagp.exe File created C:\Windows\SysWOW64\Jdcpkp32.exe Process not Found File created C:\Windows\SysWOW64\Fdapcg32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 6292 1824 Process not Found 2216 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmaao32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfcop32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehllae32.dll" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekqmbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djiqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggdejno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondii32.dll" Kkoncdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjipagod.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcohnaep.dll" Pgnjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgpgjepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noihdcih.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ionefb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebcm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfejc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbajkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkknojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnefapmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcaepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjokpjd.dll" Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoomoin.dll" Knjegqif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eccpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffgpgl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kebgia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfkokh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgkbeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakomajq.dll" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdbkjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhjjgd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2416 2952 0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe 28 PID 2952 wrote to memory of 2416 2952 0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe 28 PID 2952 wrote to memory of 2416 2952 0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe 28 PID 2952 wrote to memory of 2416 2952 0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2284 2416 Apcfahio.exe 29 PID 2416 wrote to memory of 2284 2416 Apcfahio.exe 29 PID 2416 wrote to memory of 2284 2416 Apcfahio.exe 29 PID 2416 wrote to memory of 2284 2416 Apcfahio.exe 29 PID 2284 wrote to memory of 2916 2284 Bbdocc32.exe 30 PID 2284 wrote to memory of 2916 2284 Bbdocc32.exe 30 PID 2284 wrote to memory of 2916 2284 Bbdocc32.exe 30 PID 2284 wrote to memory of 2916 2284 Bbdocc32.exe 30 PID 2916 wrote to memory of 2816 2916 Bhcdaibd.exe 31 PID 2916 wrote to memory of 2816 2916 Bhcdaibd.exe 31 PID 2916 wrote to memory of 2816 2916 Bhcdaibd.exe 31 PID 2916 wrote to memory of 2816 2916 Bhcdaibd.exe 31 PID 2816 wrote to memory of 2640 2816 Balijo32.exe 32 PID 2816 wrote to memory of 2640 2816 Balijo32.exe 32 PID 2816 wrote to memory of 2640 2816 Balijo32.exe 32 PID 2816 wrote to memory of 2640 2816 Balijo32.exe 32 PID 2640 wrote to memory of 2520 2640 Bdooajdc.exe 33 PID 2640 wrote to memory of 2520 2640 Bdooajdc.exe 33 PID 2640 wrote to memory of 2520 2640 Bdooajdc.exe 33 PID 2640 wrote to memory of 2520 2640 Bdooajdc.exe 33 PID 2520 wrote to memory of 2332 2520 Ccdlbf32.exe 34 PID 2520 wrote to memory of 2332 2520 Ccdlbf32.exe 34 PID 2520 wrote to memory of 2332 2520 Ccdlbf32.exe 34 PID 2520 wrote to memory of 2332 2520 Ccdlbf32.exe 34 PID 2332 wrote to memory of 2772 2332 Clomqk32.exe 35 PID 2332 wrote to memory of 2772 2332 Clomqk32.exe 35 PID 2332 wrote to memory of 2772 2332 Clomqk32.exe 35 PID 2332 wrote to memory of 2772 2332 Clomqk32.exe 35 PID 2772 wrote to memory of 2312 2772 Ckdjbh32.exe 36 PID 2772 wrote to memory of 2312 2772 Ckdjbh32.exe 36 PID 2772 wrote to memory of 2312 2772 Ckdjbh32.exe 36 PID 2772 wrote to memory of 2312 2772 Ckdjbh32.exe 36 PID 2312 wrote to memory of 1700 2312 Chhjkl32.exe 37 PID 2312 wrote to memory of 1700 2312 Chhjkl32.exe 37 PID 2312 wrote to memory of 1700 2312 Chhjkl32.exe 37 PID 2312 wrote to memory of 1700 2312 Chhjkl32.exe 37 PID 1700 wrote to memory of 376 1700 Dngoibmo.exe 38 PID 1700 wrote to memory of 376 1700 Dngoibmo.exe 38 PID 1700 wrote to memory of 376 1700 Dngoibmo.exe 38 PID 1700 wrote to memory of 376 1700 Dngoibmo.exe 38 PID 376 wrote to memory of 1620 376 Dqjepm32.exe 39 PID 376 wrote to memory of 1620 376 Dqjepm32.exe 39 PID 376 wrote to memory of 1620 376 Dqjepm32.exe 39 PID 376 wrote to memory of 1620 376 Dqjepm32.exe 39 PID 1620 wrote to memory of 836 1620 Dcknbh32.exe 40 PID 1620 wrote to memory of 836 1620 Dcknbh32.exe 40 PID 1620 wrote to memory of 836 1620 Dcknbh32.exe 40 PID 1620 wrote to memory of 836 1620 Dcknbh32.exe 40 PID 836 wrote to memory of 1424 836 Eijcpoac.exe 41 PID 836 wrote to memory of 1424 836 Eijcpoac.exe 41 PID 836 wrote to memory of 1424 836 Eijcpoac.exe 41 PID 836 wrote to memory of 1424 836 Eijcpoac.exe 41 PID 1424 wrote to memory of 2928 1424 Ebbgid32.exe 42 PID 1424 wrote to memory of 2928 1424 Ebbgid32.exe 42 PID 1424 wrote to memory of 2928 1424 Ebbgid32.exe 42 PID 1424 wrote to memory of 2928 1424 Ebbgid32.exe 42 PID 2928 wrote to memory of 540 2928 Eiaiqn32.exe 43 PID 2928 wrote to memory of 540 2928 Eiaiqn32.exe 43 PID 2928 wrote to memory of 540 2928 Eiaiqn32.exe 43 PID 2928 wrote to memory of 540 2928 Eiaiqn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe33⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe34⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe39⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe40⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe41⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe44⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe45⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe46⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe47⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe48⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe50⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe51⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe52⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe53⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe54⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe55⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe56⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe57⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe58⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe59⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe60⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe61⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe62⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe63⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe64⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe65⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe66⤵PID:2016
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe68⤵PID:536
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe69⤵PID:1472
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe70⤵PID:2384
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe71⤵PID:1660
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe72⤵PID:1100
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe73⤵PID:1036
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe74⤵PID:2136
-
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe75⤵PID:1572
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe76⤵PID:1600
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe77⤵PID:2628
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe78⤵PID:2512
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe79⤵PID:2956
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe81⤵PID:1988
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe82⤵PID:2188
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe83⤵PID:2492
-
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe84⤵PID:2728
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe85⤵PID:2060
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe86⤵PID:1644
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe87⤵PID:1612
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe88⤵PID:956
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe89⤵PID:2936
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe90⤵PID:1724
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe91⤵PID:2348
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe92⤵PID:2084
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe93⤵PID:2120
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe94⤵PID:2556
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe95⤵PID:2788
-
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe96⤵PID:2592
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe97⤵PID:2480
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe98⤵PID:2564
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe99⤵PID:1300
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe100⤵PID:2712
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe101⤵PID:680
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe102⤵PID:2336
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe103⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe104⤵PID:1380
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe105⤵PID:884
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe106⤵PID:2244
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe107⤵PID:1496
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe108⤵PID:2824
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe109⤵PID:2812
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe110⤵PID:2304
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe111⤵PID:2792
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe112⤵PID:2748
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe113⤵PID:1672
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe114⤵PID:1288
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe115⤵PID:600
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:740 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe117⤵PID:2036
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe118⤵PID:1040
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe119⤵PID:2228
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe120⤵PID:3008
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe121⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-