Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 13:46
Behavioral task
behavioral1
Sample
e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe
-
Size
109KB
-
MD5
e13022bf7ba27c3775cbdac9acbac710
-
SHA1
71726b87fdc832b48a96efe4c0f3cc5fc3061fb8
-
SHA256
af841a232ec4b29ff9192f1a593d9f196413bea38de631c63ba468879776adbf
-
SHA512
18d013f8d68ee2d516990a055f5089c9d3d9db7980858920477da07d7e96f22e4ee16a2947146a764e4b11a5f8a2a488ba44036ac80a327c652f9ee0e6807b1f
-
SSDEEP
3072:5v8ZuvPLZpKxIp8H1lcNVl8PSKJ9/LCqwzBu1DjHLMVDqqkSpR:9R7Z7+MqJ9zwtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffkoai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbeiefff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgippgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daipqhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miehak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmgbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edfpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fblmglgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gligjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkjnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdlad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmicj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehomq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccjdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbfmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbpnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epoqde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doecog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbefcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnkion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liminmmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfndmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqglggcp.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2184-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000c00000001313a-5.dat family_berbew behavioral1/memory/2184-6-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x0008000000015d67-18.dat family_berbew behavioral1/memory/2144-26-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000015d87-32.dat family_berbew behavioral1/memory/2144-34-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/2648-45-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0009000000015e3a-46.dat family_berbew behavioral1/memory/2648-48-0x0000000000320000-0x0000000000364000-memory.dmp family_berbew behavioral1/files/0x0006000000016c6b-59.dat family_berbew behavioral1/memory/2724-67-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016ce4-72.dat family_berbew behavioral1/memory/2724-76-0x00000000002D0000-0x0000000000314000-memory.dmp family_berbew behavioral1/files/0x0006000000016d1e-85.dat family_berbew behavioral1/memory/2132-92-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d3a-98.dat family_berbew behavioral1/memory/2604-105-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d90-111.dat family_berbew behavioral1/memory/2604-113-0x0000000000450000-0x0000000000494000-memory.dmp family_berbew behavioral1/memory/2952-123-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016dbb-125.dat family_berbew behavioral1/memory/2372-132-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016e94-138.dat family_berbew behavioral1/memory/676-145-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000017052-151.dat family_berbew behavioral1/memory/2680-158-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0034000000015d28-164.dat family_berbew behavioral1/memory/2680-165-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x00060000000173e0-177.dat family_berbew behavioral1/memory/2248-183-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1272-185-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000600000001745e-191.dat family_berbew behavioral1/memory/1272-193-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x000600000001749c-204.dat family_berbew behavioral1/memory/1264-210-0x0000000000320000-0x0000000000364000-memory.dmp family_berbew behavioral1/files/0x000900000001864e-220.dat family_berbew behavioral1/memory/1732-225-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001866d-227.dat family_berbew behavioral1/memory/1512-236-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1512-241-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x0006000000018c0a-238.dat family_berbew behavioral1/files/0x0006000000018f3a-248.dat family_berbew behavioral1/memory/1296-251-0x00000000003B0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/memory/1772-253-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000190b6-259.dat family_berbew behavioral1/memory/792-264-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1772-263-0x0000000000320000-0x0000000000364000-memory.dmp family_berbew behavioral1/memory/1772-262-0x0000000000320000-0x0000000000364000-memory.dmp family_berbew behavioral1/memory/792-270-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x00050000000191cd-271.dat family_berbew behavioral1/memory/1780-275-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019215-281.dat family_berbew behavioral1/memory/2136-286-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001923d-292.dat family_berbew behavioral1/memory/1160-301-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2136-300-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/2136-298-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x000500000001924a-303.dat family_berbew behavioral1/memory/1504-308-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019270-315.dat family_berbew behavioral1/memory/2896-319-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2896-328-0x00000000002D0000-0x0000000000314000-memory.dmp family_berbew behavioral1/files/0x000500000001933a-325.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2332 Hacmcfge.exe 2144 Hogmmjfo.exe 2648 Iknnbklc.exe 2588 Igdogl32.exe 2724 Iqmcpahh.exe 2444 Ikbgmj32.exe 2132 Ikddbj32.exe 2604 Imfqjbli.exe 2952 Igkdgk32.exe 2372 Jofiln32.exe 676 Jmjjea32.exe 2680 Jcdbbloa.exe 2248 Jjojofgn.exe 1272 Jcgogk32.exe 1264 Jkbcln32.exe 1332 Jgidao32.exe 1732 Kaaijdgn.exe 1512 Kgkafo32.exe 1296 Kjjmbj32.exe 1772 Kkijmm32.exe 792 Kgpjanje.exe 1780 Kahojc32.exe 2136 Kiccofna.exe 1160 Kblhgk32.exe 1504 Kjcpii32.exe 2896 Lckdanld.exe 1696 Lpbefoai.exe 2520 Lflmci32.exe 2656 Lliflp32.exe 2844 Leajdfnm.exe 2752 Llkbap32.exe 2420 Lecgje32.exe 2596 Lajhofao.exe 2800 Lefdpe32.exe 2920 Monhhk32.exe 2060 Mamddf32.exe 2696 Mppepcfg.exe 644 Mhgmapfi.exe 1496 Mpdnkb32.exe 1432 Meagci32.exe 864 Moiklogi.exe 2288 Mlmlecec.exe 1820 Nlphkb32.exe 1000 Ncjqhmkm.exe 1140 Nhfipcid.exe 1552 Nkeelohh.exe 1720 Nhiffc32.exe 2256 Nkgbbo32.exe 2208 Nnennj32.exe 2996 Ndpfkdmf.exe 2036 Nkiogn32.exe 1604 Nnhkcj32.exe 3044 Ndbcpd32.exe 2532 Ojolhk32.exe 2620 Olmhdf32.exe 2660 Ocgpappk.exe 2548 Ogblbo32.exe 2944 Onmdoioa.exe 2916 Oqkqkdne.exe 2044 Ocimgp32.exe 1224 Ojcecjee.exe 1812 Ombapedi.exe 392 Oclilp32.exe 868 Ofjfhk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2184 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 2184 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 2332 Hacmcfge.exe 2332 Hacmcfge.exe 2144 Hogmmjfo.exe 2144 Hogmmjfo.exe 2648 Iknnbklc.exe 2648 Iknnbklc.exe 2588 Igdogl32.exe 2588 Igdogl32.exe 2724 Iqmcpahh.exe 2724 Iqmcpahh.exe 2444 Ikbgmj32.exe 2444 Ikbgmj32.exe 2132 Ikddbj32.exe 2132 Ikddbj32.exe 2604 Imfqjbli.exe 2604 Imfqjbli.exe 2952 Igkdgk32.exe 2952 Igkdgk32.exe 2372 Jofiln32.exe 2372 Jofiln32.exe 676 Jmjjea32.exe 676 Jmjjea32.exe 2680 Jcdbbloa.exe 2680 Jcdbbloa.exe 2248 Jjojofgn.exe 2248 Jjojofgn.exe 1272 Jcgogk32.exe 1272 Jcgogk32.exe 1264 Jkbcln32.exe 1264 Jkbcln32.exe 1332 Jgidao32.exe 1332 Jgidao32.exe 1732 Kaaijdgn.exe 1732 Kaaijdgn.exe 1512 Kgkafo32.exe 1512 Kgkafo32.exe 1296 Kjjmbj32.exe 1296 Kjjmbj32.exe 1772 Kkijmm32.exe 1772 Kkijmm32.exe 792 Kgpjanje.exe 792 Kgpjanje.exe 1780 Kahojc32.exe 1780 Kahojc32.exe 2136 Kiccofna.exe 2136 Kiccofna.exe 1160 Kblhgk32.exe 1160 Kblhgk32.exe 1504 Kjcpii32.exe 1504 Kjcpii32.exe 2896 Lckdanld.exe 2896 Lckdanld.exe 1696 Lpbefoai.exe 1696 Lpbefoai.exe 2520 Lflmci32.exe 2520 Lflmci32.exe 2656 Lliflp32.exe 2656 Lliflp32.exe 2844 Leajdfnm.exe 2844 Leajdfnm.exe 2752 Llkbap32.exe 2752 Llkbap32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jgnakn32.dll Cpmhpbkc.exe File created C:\Windows\SysWOW64\Mabphn32.exe Mikhgqbi.exe File created C:\Windows\SysWOW64\Hhcmhdke.exe Heealhla.exe File created C:\Windows\SysWOW64\Jndape32.dll Hfhcoj32.exe File opened for modification C:\Windows\SysWOW64\Jhdlad32.exe Jbhcim32.exe File created C:\Windows\SysWOW64\Hiioin32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jblnaq32.exe Jonbee32.exe File created C:\Windows\SysWOW64\Idbfpfoc.dll Idfnicfl.exe File created C:\Windows\SysWOW64\Pfkhoe32.dll Biaign32.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Process not Found File created C:\Windows\SysWOW64\Ohpjoahj.dll Process not Found File created C:\Windows\SysWOW64\Bmmiij32.exe Bkommo32.exe File created C:\Windows\SysWOW64\Debplg32.exe Dcccpl32.exe File opened for modification C:\Windows\SysWOW64\Bgibnj32.exe Bejfao32.exe File created C:\Windows\SysWOW64\Gglbfg32.exe Process not Found File created C:\Windows\SysWOW64\Mbiaej32.dll Bmkmdk32.exe File created C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Afnagk32.exe Alhmjbhj.exe File created C:\Windows\SysWOW64\Gihniioc.exe Gbnflo32.exe File created C:\Windows\SysWOW64\Qabkpdke.dll Ehjona32.exe File created C:\Windows\SysWOW64\Folfoj32.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Nhohda32.exe Neplhf32.exe File opened for modification C:\Windows\SysWOW64\Pjcckf32.exe Phbgcnig.exe File opened for modification C:\Windows\SysWOW64\Abkhkgbb.exe Anolkh32.exe File opened for modification C:\Windows\SysWOW64\Jckgicnp.exe Jplkmgol.exe File opened for modification C:\Windows\SysWOW64\Hfegij32.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Dcghkf32.exe Process not Found File created C:\Windows\SysWOW64\Onecbg32.exe Ogkkfmml.exe File opened for modification C:\Windows\SysWOW64\Jdpjba32.exe Jikeeh32.exe File created C:\Windows\SysWOW64\Mqbbagjo.exe Process not Found File created C:\Windows\SysWOW64\Ehhdaj32.exe Process not Found File created C:\Windows\SysWOW64\Gcmamj32.exe Process not Found File created C:\Windows\SysWOW64\Cfehhn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Lflmci32.exe File created C:\Windows\SysWOW64\Lefdpe32.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Lncfcgeb.exe Process not Found File created C:\Windows\SysWOW64\Cocajj32.dll Process not Found File created C:\Windows\SysWOW64\Gockgdeh.exe Process not Found File created C:\Windows\SysWOW64\Imjkpb32.exe Process not Found File created C:\Windows\SysWOW64\Laqojfli.exe Process not Found File created C:\Windows\SysWOW64\Ccahbp32.exe Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Onecbg32.exe Ogkkfmml.exe File opened for modification C:\Windows\SysWOW64\Iapgkl32.exe Ipokcdjn.exe File created C:\Windows\SysWOW64\Mnbpjb32.exe Mkddnf32.exe File created C:\Windows\SysWOW64\Nfidjbdg.exe Npolmh32.exe File opened for modification C:\Windows\SysWOW64\Ibcnojnp.exe Ipeaco32.exe File created C:\Windows\SysWOW64\Hmpaom32.exe Process not Found File created C:\Windows\SysWOW64\Nlhqhm32.dll Gnpmfqap.exe File opened for modification C:\Windows\SysWOW64\Lkicbk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kaaijdgn.exe Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Fbpljhnf.dll Mpjqiq32.exe File created C:\Windows\SysWOW64\Dognqkje.dll Aflfjc32.exe File opened for modification C:\Windows\SysWOW64\Nqmnjd32.exe Process not Found File created C:\Windows\SysWOW64\Mlpckqje.dll Process not Found File created C:\Windows\SysWOW64\Nmngmj32.dll Jgidao32.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kblhgk32.exe File opened for modification C:\Windows\SysWOW64\Elhnof32.exe Ejjbbkpj.exe File opened for modification C:\Windows\SysWOW64\Fmfnhj32.exe Fkdaqa32.exe File created C:\Windows\SysWOW64\Khkbbc32.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Idnhde32.dll Qmfgjh32.exe File created C:\Windows\SysWOW64\Afmjbf32.dll Kdjccf32.exe File opened for modification C:\Windows\SysWOW64\Kkpqlm32.exe Process not Found File created C:\Windows\SysWOW64\Jeomfi32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 8040 8028 Process not Found 1582 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll" Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbomfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oohqqlei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dljkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjcabmga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfehan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdbbgdjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjomgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklaogoi.dll" Dpmdofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfjegqq.dll" Odgodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejpdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pggdejno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgkadij.dll" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjkan32.dll" Ddfebnoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idejihgk.dll" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlkhpje.dll" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmcfhkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idfnicfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll" Ngdifkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnipkkdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgcpnbh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlklnjoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heealhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Becpap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeeaobo.dll" Kcijeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apimlcdc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnpioai.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolcnd32.dll" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanfn32.dll" Heakcjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleijpbj.dll" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcbabpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2332 2184 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 28 PID 2184 wrote to memory of 2332 2184 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 28 PID 2184 wrote to memory of 2332 2184 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 28 PID 2184 wrote to memory of 2332 2184 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 28 PID 2332 wrote to memory of 2144 2332 Hacmcfge.exe 29 PID 2332 wrote to memory of 2144 2332 Hacmcfge.exe 29 PID 2332 wrote to memory of 2144 2332 Hacmcfge.exe 29 PID 2332 wrote to memory of 2144 2332 Hacmcfge.exe 29 PID 2144 wrote to memory of 2648 2144 Hogmmjfo.exe 30 PID 2144 wrote to memory of 2648 2144 Hogmmjfo.exe 30 PID 2144 wrote to memory of 2648 2144 Hogmmjfo.exe 30 PID 2144 wrote to memory of 2648 2144 Hogmmjfo.exe 30 PID 2648 wrote to memory of 2588 2648 Iknnbklc.exe 31 PID 2648 wrote to memory of 2588 2648 Iknnbklc.exe 31 PID 2648 wrote to memory of 2588 2648 Iknnbklc.exe 31 PID 2648 wrote to memory of 2588 2648 Iknnbklc.exe 31 PID 2588 wrote to memory of 2724 2588 Igdogl32.exe 32 PID 2588 wrote to memory of 2724 2588 Igdogl32.exe 32 PID 2588 wrote to memory of 2724 2588 Igdogl32.exe 32 PID 2588 wrote to memory of 2724 2588 Igdogl32.exe 32 PID 2724 wrote to memory of 2444 2724 Iqmcpahh.exe 33 PID 2724 wrote to memory of 2444 2724 Iqmcpahh.exe 33 PID 2724 wrote to memory of 2444 2724 Iqmcpahh.exe 33 PID 2724 wrote to memory of 2444 2724 Iqmcpahh.exe 33 PID 2444 wrote to memory of 2132 2444 Ikbgmj32.exe 34 PID 2444 wrote to memory of 2132 2444 Ikbgmj32.exe 34 PID 2444 wrote to memory of 2132 2444 Ikbgmj32.exe 34 PID 2444 wrote to memory of 2132 2444 Ikbgmj32.exe 34 PID 2132 wrote to memory of 2604 2132 Ikddbj32.exe 35 PID 2132 wrote to memory of 2604 2132 Ikddbj32.exe 35 PID 2132 wrote to memory of 2604 2132 Ikddbj32.exe 35 PID 2132 wrote to memory of 2604 2132 Ikddbj32.exe 35 PID 2604 wrote to memory of 2952 2604 Imfqjbli.exe 36 PID 2604 wrote to memory of 2952 2604 Imfqjbli.exe 36 PID 2604 wrote to memory of 2952 2604 Imfqjbli.exe 36 PID 2604 wrote to memory of 2952 2604 Imfqjbli.exe 36 PID 2952 wrote to memory of 2372 2952 Igkdgk32.exe 37 PID 2952 wrote to memory of 2372 2952 Igkdgk32.exe 37 PID 2952 wrote to memory of 2372 2952 Igkdgk32.exe 37 PID 2952 wrote to memory of 2372 2952 Igkdgk32.exe 37 PID 2372 wrote to memory of 676 2372 Jofiln32.exe 38 PID 2372 wrote to memory of 676 2372 Jofiln32.exe 38 PID 2372 wrote to memory of 676 2372 Jofiln32.exe 38 PID 2372 wrote to memory of 676 2372 Jofiln32.exe 38 PID 676 wrote to memory of 2680 676 Jmjjea32.exe 39 PID 676 wrote to memory of 2680 676 Jmjjea32.exe 39 PID 676 wrote to memory of 2680 676 Jmjjea32.exe 39 PID 676 wrote to memory of 2680 676 Jmjjea32.exe 39 PID 2680 wrote to memory of 2248 2680 Jcdbbloa.exe 40 PID 2680 wrote to memory of 2248 2680 Jcdbbloa.exe 40 PID 2680 wrote to memory of 2248 2680 Jcdbbloa.exe 40 PID 2680 wrote to memory of 2248 2680 Jcdbbloa.exe 40 PID 2248 wrote to memory of 1272 2248 Jjojofgn.exe 41 PID 2248 wrote to memory of 1272 2248 Jjojofgn.exe 41 PID 2248 wrote to memory of 1272 2248 Jjojofgn.exe 41 PID 2248 wrote to memory of 1272 2248 Jjojofgn.exe 41 PID 1272 wrote to memory of 1264 1272 Jcgogk32.exe 42 PID 1272 wrote to memory of 1264 1272 Jcgogk32.exe 42 PID 1272 wrote to memory of 1264 1272 Jcgogk32.exe 42 PID 1272 wrote to memory of 1264 1272 Jcgogk32.exe 42 PID 1264 wrote to memory of 1332 1264 Jkbcln32.exe 43 PID 1264 wrote to memory of 1332 1264 Jkbcln32.exe 43 PID 1264 wrote to memory of 1332 1264 Jkbcln32.exe 43 PID 1264 wrote to memory of 1332 1264 Jkbcln32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe33⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe35⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe36⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe37⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe38⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe39⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe40⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe41⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe42⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe44⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe45⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe46⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe47⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe48⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe49⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe50⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe51⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe52⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe53⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe54⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe55⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe56⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe57⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe58⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe59⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe60⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe61⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe62⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe63⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe65⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe66⤵PID:1268
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe67⤵PID:1444
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe68⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe69⤵PID:3036
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe70⤵PID:1556
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe71⤵PID:1312
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe72⤵PID:652
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe73⤵PID:908
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe74⤵PID:2160
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe75⤵PID:1928
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe76⤵PID:2636
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe77⤵PID:2728
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe78⤵PID:2988
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe79⤵PID:2976
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe80⤵PID:2684
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe81⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe82⤵PID:2032
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe83⤵PID:2404
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe84⤵PID:3052
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe85⤵PID:872
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe86⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe87⤵PID:1056
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe88⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe89⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe90⤵PID:2616
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe91⤵PID:2452
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe92⤵PID:2492
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe93⤵PID:2804
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe94⤵PID:2664
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe95⤵PID:1548
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe96⤵PID:688
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe97⤵PID:2792
-
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe98⤵PID:2064
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe99⤵PID:1944
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe100⤵PID:2676
-
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe101⤵PID:1840
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe102⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe103⤵PID:452
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe104⤵PID:1596
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe105⤵PID:2624
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe106⤵PID:2580
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe107⤵PID:2540
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe108⤵PID:1868
-
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe109⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe110⤵PID:2820
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe111⤵PID:2968
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe112⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe113⤵PID:1652
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe114⤵PID:1164
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe115⤵PID:1256
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe116⤵PID:2512
-
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe117⤵PID:2888
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe118⤵PID:2200
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe119⤵PID:2608
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe120⤵PID:2640
-
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-