Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 13:46
Behavioral task
behavioral1
Sample
e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe
-
Size
109KB
-
MD5
e13022bf7ba27c3775cbdac9acbac710
-
SHA1
71726b87fdc832b48a96efe4c0f3cc5fc3061fb8
-
SHA256
af841a232ec4b29ff9192f1a593d9f196413bea38de631c63ba468879776adbf
-
SHA512
18d013f8d68ee2d516990a055f5089c9d3d9db7980858920477da07d7e96f22e4ee16a2947146a764e4b11a5f8a2a488ba44036ac80a327c652f9ee0e6807b1f
-
SSDEEP
3072:5v8ZuvPLZpKxIp8H1lcNVl8PSKJ9/LCqwzBu1DjHLMVDqqkSpR:9R7Z7+MqJ9zwtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghipne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdepgkgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbfgppo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oileggkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjahe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjinkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopbnbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gohhpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbognp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhgmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klifnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nepgjaeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaajed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjnqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgfdmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakkfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjodl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boflmdkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikokan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfqmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3632-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000232a4-7.dat family_berbew behavioral2/memory/3504-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/3168-15-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023419-14.dat family_berbew behavioral2/files/0x000700000002341b-22.dat family_berbew behavioral2/memory/4516-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341d-31.dat family_berbew behavioral2/memory/4672-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341f-38.dat family_berbew behavioral2/memory/1772-44-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023421-47.dat family_berbew behavioral2/memory/1800-48-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023423-55.dat family_berbew behavioral2/memory/4508-56-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023425-62.dat family_berbew behavioral2/memory/3372-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023427-70.dat family_berbew behavioral2/memory/1648-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023429-78.dat family_berbew behavioral2/memory/4076-79-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342b-86.dat family_berbew behavioral2/memory/2760-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342d-94.dat family_berbew behavioral2/memory/900-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342f-102.dat family_berbew behavioral2/memory/1932-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023431-110.dat family_berbew behavioral2/memory/4956-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023433-118.dat family_berbew behavioral2/memory/2944-119-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023435-127.dat family_berbew behavioral2/memory/640-132-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023437-134.dat family_berbew behavioral2/memory/1100-140-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023439-143.dat family_berbew behavioral2/memory/1780-148-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343c-150.dat family_berbew behavioral2/memory/1972-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343e-158.dat family_berbew behavioral2/memory/4580-164-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023440-167.dat family_berbew behavioral2/memory/1552-172-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023442-175.dat family_berbew behavioral2/memory/2552-176-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0009000000023415-182.dat family_berbew behavioral2/files/0x0007000000023445-190.dat family_berbew behavioral2/memory/1116-189-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2356-192-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023447-198.dat family_berbew behavioral2/memory/4448-204-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023449-207.dat family_berbew behavioral2/memory/4924-208-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/3636-216-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002344b-215.dat family_berbew behavioral2/files/0x000700000002344d-223.dat family_berbew behavioral2/memory/3656-228-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002344f-231.dat family_berbew behavioral2/files/0x0007000000023451-238.dat family_berbew behavioral2/memory/4992-240-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4088-239-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023453-247.dat family_berbew behavioral2/memory/184-248-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023455-255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3168 Jbmfoa32.exe 3504 Jigollag.exe 4516 Jdmcidam.exe 4672 Jbocea32.exe 1772 Kaqcbi32.exe 1800 Kdopod32.exe 4508 Kilhgk32.exe 3372 Kmgdgjek.exe 1648 Kbdmpqcb.exe 4076 Kinemkko.exe 2760 Kdcijcke.exe 900 Kknafn32.exe 1932 Kmlnbi32.exe 4956 Kcifkp32.exe 2944 Kibnhjgj.exe 640 Kpmfddnf.exe 1100 Kgfoan32.exe 1780 Lmqgnhmp.exe 1972 Lalcng32.exe 4580 Lcmofolg.exe 1552 Liggbi32.exe 2552 Laopdgcg.exe 1116 Ldmlpbbj.exe 2356 Lkgdml32.exe 4448 Lnepih32.exe 4924 Lgneampk.exe 3636 Lnhmng32.exe 3656 Laciofpa.exe 4088 Ldaeka32.exe 4992 Lcdegnep.exe 184 Ljnnch32.exe 4220 Lphfpbdi.exe 4600 Lcgblncm.exe 2988 Mjqjih32.exe 4456 Mpkbebbf.exe 3856 Mkpgck32.exe 3180 Mnocof32.exe 4676 Mpmokb32.exe 4108 Mdiklqhm.exe 440 Mjeddggd.exe 1232 Mnapdf32.exe 3752 Mpolqa32.exe 2264 Mgidml32.exe 5056 Mjhqjg32.exe 3508 Maohkd32.exe 980 Mcpebmkb.exe 4792 Mkgmcjld.exe 3820 Mnfipekh.exe 2572 Mpdelajl.exe 3616 Mcbahlip.exe 4916 Nkjjij32.exe 5108 Nnhfee32.exe 788 Ndbnboqb.exe 3060 Ngpjnkpf.exe 4520 Nklfoi32.exe 1592 Nnjbke32.exe 412 Ncgkcl32.exe 3116 Njacpf32.exe 2748 Nbhkac32.exe 4488 Ndghmo32.exe 464 Ngedij32.exe 2620 Njcpee32.exe 4464 Ndidbn32.exe 456 Nggqoj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Onfbfc32.exe Okhfjh32.exe File created C:\Windows\SysWOW64\Lpebpm32.exe Likjcbkc.exe File created C:\Windows\SysWOW64\Aomaga32.dll Likjcbkc.exe File created C:\Windows\SysWOW64\Bafndi32.exe Process not Found File created C:\Windows\SysWOW64\Ljnlecmp.exe Process not Found File created C:\Windows\SysWOW64\Fclbolkk.dll Jgogbgei.exe File created C:\Windows\SysWOW64\Ojigdcll.exe Process not Found File created C:\Windows\SysWOW64\Jeiooj32.dll e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Hnagak32.exe Hghoeqmp.exe File created C:\Windows\SysWOW64\Inpccihl.exe Ikaggmii.exe File created C:\Windows\SysWOW64\Ilqoobdd.exe Process not Found File created C:\Windows\SysWOW64\Ldaeka32.exe Laciofpa.exe File created C:\Windows\SysWOW64\Jcnmjgff.dll Gkjhoq32.exe File created C:\Windows\SysWOW64\Pnpemb32.exe Odgqdlnj.exe File created C:\Windows\SysWOW64\Qeemej32.exe Qajadlja.exe File created C:\Windows\SysWOW64\Echknh32.exe Dceohhja.exe File opened for modification C:\Windows\SysWOW64\Kpbmco32.exe Klgqcqkl.exe File created C:\Windows\SysWOW64\Jgonlm32.exe Jfnbdecg.exe File created C:\Windows\SysWOW64\Hiikaj32.dll Neafjdkn.exe File opened for modification C:\Windows\SysWOW64\Kdbjhbbd.exe Knhakh32.exe File created C:\Windows\SysWOW64\Lfmmaj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Acjjfggb.exe Aegikj32.exe File created C:\Windows\SysWOW64\Jcinbcgc.dll Ibjjhn32.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Process not Found File created C:\Windows\SysWOW64\Ijdabh32.dll Kcbnnpka.exe File created C:\Windows\SysWOW64\Lgepom32.exe Lqkgbcff.exe File opened for modification C:\Windows\SysWOW64\Dkhnjk32.exe Process not Found File created C:\Windows\SysWOW64\Qegnoi32.dll Hbgmcnhf.exe File opened for modification C:\Windows\SysWOW64\Ffceip32.exe Process not Found File created C:\Windows\SysWOW64\Mfpqjjgd.dll Kimghn32.exe File created C:\Windows\SysWOW64\Cgjjdf32.exe Cpbbch32.exe File opened for modification C:\Windows\SysWOW64\Fjmkoeqi.exe Fbfcmhpg.exe File opened for modification C:\Windows\SysWOW64\Kmfhkf32.exe Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Omdppiif.exe Process not Found File created C:\Windows\SysWOW64\Akanejnd.dll Kknafn32.exe File opened for modification C:\Windows\SysWOW64\Ggqida32.exe Gepmlimi.exe File created C:\Windows\SysWOW64\Dckhejil.dll Iddljmpc.exe File created C:\Windows\SysWOW64\Aomifecf.exe Ahcajk32.exe File opened for modification C:\Windows\SysWOW64\Kpjgaoqm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eleiam32.exe Ehimanbq.exe File opened for modification C:\Windows\SysWOW64\Flceckoj.exe Fdlnbm32.exe File created C:\Windows\SysWOW64\Ehjhee32.dll Fehfljca.exe File opened for modification C:\Windows\SysWOW64\Cbfgkffn.exe Process not Found File created C:\Windows\SysWOW64\Fdahdiml.dll Process not Found File created C:\Windows\SysWOW64\Lnaendmh.dll Bobcpmfc.exe File created C:\Windows\SysWOW64\Eadpldgf.dll Kgamnded.exe File created C:\Windows\SysWOW64\Knhakh32.exe Kkjeomld.exe File created C:\Windows\SysWOW64\Ljclki32.exe Lgepom32.exe File opened for modification C:\Windows\SysWOW64\Maggnali.exe Mjmoag32.exe File opened for modification C:\Windows\SysWOW64\Phonha32.exe Process not Found File created C:\Windows\SysWOW64\Lqppgj32.dll Process not Found File created C:\Windows\SysWOW64\Chdkoa32.exe Cefoce32.exe File created C:\Windows\SysWOW64\Ebhcbe32.dll Hgjljpkm.exe File opened for modification C:\Windows\SysWOW64\Cfnjpfcl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Gfngap32.exe File created C:\Windows\SysWOW64\Lphoelqn.exe Lmiciaaj.exe File opened for modification C:\Windows\SysWOW64\Ibicnh32.exe Ikokan32.exe File created C:\Windows\SysWOW64\Aieeeflh.dll Oeicejia.exe File created C:\Windows\SysWOW64\Eangpgcl.exe Ejdocm32.exe File created C:\Windows\SysWOW64\Gdmmbq32.exe Gmcdffmq.exe File created C:\Windows\SysWOW64\Nondlbmd.dll Bhldpj32.exe File created C:\Windows\SysWOW64\Nmipdk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hghoeqmp.exe Hffcmh32.exe File created C:\Windows\SysWOW64\Anclbkbp.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12756 13044 Process not Found 1458 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibmeoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhgbhfbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolfj32.dll" Npgabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkjhoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gddbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfokoelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oponmilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbcakoc.dll" Neffpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamhmbej.dll" Dikihe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlaebn32.dll" Jgfdmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhpfjhc.dll" Oohgdhfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hckjacjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcbihpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Afjlnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjajmpkj.dll" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncilb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfcklij.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmdhm32.dll" Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igdnabjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbpgbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oflgep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kechmoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkhgb32.dll" Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmkog32.dll" Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emoinpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbdjchgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpabql32.dll" Hajpbckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbinam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfjgifo.dll" Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgofgjn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqnbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgmcjld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll" Fimodc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbdjchgn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3632 wrote to memory of 3168 3632 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 82 PID 3632 wrote to memory of 3168 3632 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 82 PID 3632 wrote to memory of 3168 3632 e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe 82 PID 3168 wrote to memory of 3504 3168 Jbmfoa32.exe 83 PID 3168 wrote to memory of 3504 3168 Jbmfoa32.exe 83 PID 3168 wrote to memory of 3504 3168 Jbmfoa32.exe 83 PID 3504 wrote to memory of 4516 3504 Jigollag.exe 84 PID 3504 wrote to memory of 4516 3504 Jigollag.exe 84 PID 3504 wrote to memory of 4516 3504 Jigollag.exe 84 PID 4516 wrote to memory of 4672 4516 Jdmcidam.exe 85 PID 4516 wrote to memory of 4672 4516 Jdmcidam.exe 85 PID 4516 wrote to memory of 4672 4516 Jdmcidam.exe 85 PID 4672 wrote to memory of 1772 4672 Jbocea32.exe 86 PID 4672 wrote to memory of 1772 4672 Jbocea32.exe 86 PID 4672 wrote to memory of 1772 4672 Jbocea32.exe 86 PID 1772 wrote to memory of 1800 1772 Kaqcbi32.exe 87 PID 1772 wrote to memory of 1800 1772 Kaqcbi32.exe 87 PID 1772 wrote to memory of 1800 1772 Kaqcbi32.exe 87 PID 1800 wrote to memory of 4508 1800 Kdopod32.exe 88 PID 1800 wrote to memory of 4508 1800 Kdopod32.exe 88 PID 1800 wrote to memory of 4508 1800 Kdopod32.exe 88 PID 4508 wrote to memory of 3372 4508 Kilhgk32.exe 89 PID 4508 wrote to memory of 3372 4508 Kilhgk32.exe 89 PID 4508 wrote to memory of 3372 4508 Kilhgk32.exe 89 PID 3372 wrote to memory of 1648 3372 Kmgdgjek.exe 90 PID 3372 wrote to memory of 1648 3372 Kmgdgjek.exe 90 PID 3372 wrote to memory of 1648 3372 Kmgdgjek.exe 90 PID 1648 wrote to memory of 4076 1648 Kbdmpqcb.exe 91 PID 1648 wrote to memory of 4076 1648 Kbdmpqcb.exe 91 PID 1648 wrote to memory of 4076 1648 Kbdmpqcb.exe 91 PID 4076 wrote to memory of 2760 4076 Kinemkko.exe 92 PID 4076 wrote to memory of 2760 4076 Kinemkko.exe 92 PID 4076 wrote to memory of 2760 4076 Kinemkko.exe 92 PID 2760 wrote to memory of 900 2760 Kdcijcke.exe 93 PID 2760 wrote to memory of 900 2760 Kdcijcke.exe 93 PID 2760 wrote to memory of 900 2760 Kdcijcke.exe 93 PID 900 wrote to memory of 1932 900 Kknafn32.exe 94 PID 900 wrote to memory of 1932 900 Kknafn32.exe 94 PID 900 wrote to memory of 1932 900 Kknafn32.exe 94 PID 1932 wrote to memory of 4956 1932 Kmlnbi32.exe 95 PID 1932 wrote to memory of 4956 1932 Kmlnbi32.exe 95 PID 1932 wrote to memory of 4956 1932 Kmlnbi32.exe 95 PID 4956 wrote to memory of 2944 4956 Kcifkp32.exe 96 PID 4956 wrote to memory of 2944 4956 Kcifkp32.exe 96 PID 4956 wrote to memory of 2944 4956 Kcifkp32.exe 96 PID 2944 wrote to memory of 640 2944 Kibnhjgj.exe 97 PID 2944 wrote to memory of 640 2944 Kibnhjgj.exe 97 PID 2944 wrote to memory of 640 2944 Kibnhjgj.exe 97 PID 640 wrote to memory of 1100 640 Kpmfddnf.exe 98 PID 640 wrote to memory of 1100 640 Kpmfddnf.exe 98 PID 640 wrote to memory of 1100 640 Kpmfddnf.exe 98 PID 1100 wrote to memory of 1780 1100 Kgfoan32.exe 99 PID 1100 wrote to memory of 1780 1100 Kgfoan32.exe 99 PID 1100 wrote to memory of 1780 1100 Kgfoan32.exe 99 PID 1780 wrote to memory of 1972 1780 Lmqgnhmp.exe 100 PID 1780 wrote to memory of 1972 1780 Lmqgnhmp.exe 100 PID 1780 wrote to memory of 1972 1780 Lmqgnhmp.exe 100 PID 1972 wrote to memory of 4580 1972 Lalcng32.exe 101 PID 1972 wrote to memory of 4580 1972 Lalcng32.exe 101 PID 1972 wrote to memory of 4580 1972 Lalcng32.exe 101 PID 4580 wrote to memory of 1552 4580 Lcmofolg.exe 102 PID 4580 wrote to memory of 1552 4580 Lcmofolg.exe 102 PID 4580 wrote to memory of 1552 4580 Lcmofolg.exe 102 PID 1552 wrote to memory of 2552 1552 Liggbi32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e13022bf7ba27c3775cbdac9acbac710_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe23⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe24⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe25⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe26⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe27⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe28⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3656 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe30⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe31⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe32⤵
- Executes dropped EXE
PID:184 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe33⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe34⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe35⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe36⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe37⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe38⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe39⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe40⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe41⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe42⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe43⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe44⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe45⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe47⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe49⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe50⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe51⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe52⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe53⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe54⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe55⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe56⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe57⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe58⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe59⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe60⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe61⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe62⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe63⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe64⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe65⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe66⤵PID:3576
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe67⤵PID:940
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe68⤵PID:1952
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe69⤵PID:1764
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe70⤵PID:4544
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe71⤵PID:3112
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe72⤵PID:1568
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe73⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe74⤵PID:3932
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe75⤵PID:2112
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe76⤵PID:3056
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe77⤵PID:1332
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe78⤵PID:4416
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe79⤵PID:1632
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe80⤵PID:1564
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe81⤵PID:4620
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe82⤵
- Drops file in System32 directory
PID:736 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe83⤵PID:4168
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe84⤵PID:1680
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe85⤵PID:2344
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe86⤵PID:3140
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe87⤵PID:2272
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe88⤵PID:2652
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe89⤵PID:4024
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe90⤵PID:5136
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe91⤵PID:5196
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe92⤵PID:5232
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe93⤵PID:5296
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe94⤵PID:5360
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe95⤵PID:5408
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe96⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe97⤵PID:5516
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe98⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe99⤵PID:5652
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe100⤵PID:5692
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe101⤵PID:5756
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe102⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe103⤵PID:5836
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe104⤵PID:5888
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe105⤵PID:5948
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe106⤵PID:5988
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe107⤵PID:6032
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe108⤵PID:6072
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe109⤵PID:6116
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe110⤵PID:5124
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe111⤵PID:5216
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe112⤵PID:5292
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe113⤵PID:5388
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe114⤵PID:5456
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe115⤵PID:5584
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe116⤵PID:5680
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe117⤵PID:5752
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe118⤵PID:5820
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe119⤵PID:5912
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe120⤵PID:5996
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe121⤵PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-