Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 13:32
Behavioral task
behavioral1
Sample
e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe
-
Size
768KB
-
MD5
e0b815d739002a37a6ecc20bc3650730
-
SHA1
726cc2dfc685bf521316d385d4bbee0e507f1aca
-
SHA256
b45e7436ae4ee7299390de7e43c191b0e0f743d8d0f5412a504121f6f1cea01d
-
SHA512
9328b59fbc9c663bf961620d5d888a060d2649f23403db8a90279995af2f702ceb2a4d923cdc8b47bb1ac21bdaa052b14897117e031a44ec6cc5ba3dfd7fdc12
-
SSDEEP
12288:KkJLvH6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvO:1q5h3q5htaSHFaZRBEYyqmaf2qwiHPKu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdgal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpppmqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaofedkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgiof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlenp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagbdenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpcdjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcihjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpkbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnndhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkaedk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mociol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpkfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbokab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbnkefp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmioicek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnnmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhalkjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obkiqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copajm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpepmkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffhakjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaekkfcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhibgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaccdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endnohdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgkqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjeiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odnngclb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbkml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjlgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfnphpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdpok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabglnco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqokekph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infqklol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnqkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnoalehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpojml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfjocb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dememj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfbgiij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbijinfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmknog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djeegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmioicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbapdfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamhhjbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbkml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmggac32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002323f-10.dat family_berbew behavioral2/files/0x0008000000023245-17.dat family_berbew behavioral2/files/0x0007000000023248-24.dat family_berbew behavioral2/files/0x000700000002324a-34.dat family_berbew behavioral2/files/0x000700000002324c-42.dat family_berbew behavioral2/files/0x000700000002324e-50.dat family_berbew behavioral2/files/0x0007000000023250-57.dat family_berbew behavioral2/files/0x0007000000023256-67.dat family_berbew behavioral2/files/0x0007000000023256-72.dat family_berbew behavioral2/files/0x0007000000023259-76.dat family_berbew behavioral2/files/0x0008000000023258-90.dat family_berbew behavioral2/files/0x0008000000023243-96.dat family_berbew behavioral2/files/0x000700000002325d-106.dat family_berbew behavioral2/files/0x000700000002325f-113.dat family_berbew behavioral2/files/0x0007000000023261-120.dat family_berbew behavioral2/files/0x0007000000023263-128.dat family_berbew behavioral2/files/0x0007000000023265-137.dat family_berbew behavioral2/files/0x0007000000023267-144.dat family_berbew behavioral2/files/0x0007000000023269-153.dat family_berbew behavioral2/files/0x000700000002326b-160.dat family_berbew behavioral2/files/0x000700000002326d-168.dat family_berbew behavioral2/files/0x000700000002326f-176.dat family_berbew behavioral2/files/0x0007000000023271-184.dat family_berbew behavioral2/files/0x0007000000023273-193.dat family_berbew behavioral2/files/0x0007000000023275-200.dat family_berbew behavioral2/files/0x0007000000023277-209.dat family_berbew behavioral2/files/0x000200000001e32b-217.dat family_berbew behavioral2/files/0x000700000002327b-226.dat family_berbew behavioral2/files/0x000700000002327d-232.dat family_berbew behavioral2/files/0x000700000002327f-240.dat family_berbew behavioral2/files/0x0007000000023281-248.dat family_berbew behavioral2/files/0x0007000000023284-256.dat family_berbew behavioral2/files/0x000700000002329a-320.dat family_berbew behavioral2/files/0x000700000002329c-327.dat family_berbew behavioral2/files/0x00070000000232b2-398.dat family_berbew behavioral2/files/0x00070000000232b8-419.dat family_berbew behavioral2/files/0x00070000000232c8-467.dat family_berbew behavioral2/files/0x00070000000232d0-493.dat family_berbew behavioral2/files/0x00070000000232dd-531.dat family_berbew behavioral2/files/0x00080000000232e5-553.dat family_berbew behavioral2/files/0x00070000000232eb-574.dat family_berbew behavioral2/files/0x00070000000232ef-586.dat family_berbew behavioral2/files/0x00070000000232f3-600.dat family_berbew behavioral2/files/0x0007000000023314-670.dat family_berbew behavioral2/files/0x0007000000023321-726.dat family_berbew behavioral2/files/0x0007000000023327-745.dat family_berbew behavioral2/files/0x000700000002333d-823.dat family_berbew behavioral2/files/0x000700000002334c-875.dat family_berbew behavioral2/files/0x0007000000023352-898.dat family_berbew behavioral2/files/0x0007000000023356-912.dat family_berbew behavioral2/files/0x0007000000023372-1005.dat family_berbew behavioral2/files/0x0007000000023376-1020.dat family_berbew behavioral2/files/0x0007000000023382-1064.dat family_berbew behavioral2/files/0x0007000000023386-1081.dat family_berbew behavioral2/files/0x000700000002338e-1110.dat family_berbew behavioral2/files/0x000700000002339a-1154.dat family_berbew behavioral2/files/0x000700000002339e-1168.dat family_berbew behavioral2/files/0x00070000000233ad-1226.dat family_berbew behavioral2/files/0x00070000000233b4-1241.dat family_berbew behavioral2/files/0x00070000000233d5-1351.dat family_berbew behavioral2/files/0x00070000000233de-1387.dat family_berbew behavioral2/files/0x00070000000233ef-1505.dat family_berbew behavioral2/files/0x00070000000233f3-1524.dat family_berbew behavioral2/files/0x00070000000233f9-1549.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1628 Dafppp32.exe 2360 Doagjc32.exe 2728 Eqdpgk32.exe 1136 Ekonpckp.exe 4800 Galoohke.exe 1892 Gpolbo32.exe 4068 Gpaihooo.exe 4772 Glhimp32.exe 4344 Hioflcbj.exe 3840 Haodle32.exe 1084 Ihmfco32.exe 2244 Ihpcinld.exe 1528 Ibgdlg32.exe 2308 Jbojlfdp.exe 1768 Joekag32.exe 2616 Kakmna32.exe 2468 Kekbjo32.exe 1020 Kpccmhdg.exe 368 Laiipofp.exe 4532 Loofnccf.exe 3180 Lcmodajm.exe 2264 Mlhqcgnk.exe 5088 Mfpell32.exe 3716 Nckkfp32.exe 4540 Nbbeml32.exe 2420 Obgohklm.exe 4516 Omalpc32.exe 2644 Omfekbdh.exe 1744 Pcbkml32.exe 4144 Pbjddh32.exe 1112 Pjcikejg.exe 2800 Apeknk32.exe 3792 Acccdj32.exe 5056 Amkhmoap.exe 2488 Abjmkf32.exe 3736 Adjjeieh.exe 2340 Bpqjjjjl.exe 1120 Biiobo32.exe 3184 Bbaclegm.exe 3248 Babcil32.exe 2028 Bgdemb32.exe 116 Cbkfbcpb.exe 2992 Cdmoafdb.exe 4824 Dinael32.exe 1196 Dknnoofg.exe 3524 Dkpjdo32.exe 4832 Dcnlnaom.exe 1796 Eaceghcg.exe 3744 Eahobg32.exe 4700 Fnalmh32.exe 4048 Fnffhgon.exe 2060 Fjocbhbo.exe 1616 Gkoplk32.exe 1348 Gcjdam32.exe 2236 Gjficg32.exe 4560 Hccggl32.exe 4696 Hjolie32.exe 4668 Hgeihiac.exe 3692 Iabglnco.exe 4952 Inidkb32.exe 3336 Ijbbfc32.exe 3624 Jdmcdhhe.exe 3872 Jdopjh32.exe 1204 Kbeibo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aoenbkll.exe Aihfjd32.exe File created C:\Windows\SysWOW64\Bkmiof32.dll Okeinn32.exe File opened for modification C:\Windows\SysWOW64\Okfbgiij.exe Ocknbglo.exe File created C:\Windows\SysWOW64\Mkpeom32.dll Mknlef32.exe File opened for modification C:\Windows\SysWOW64\Ijigfaol.exe Ihjjln32.exe File opened for modification C:\Windows\SysWOW64\Jhqqlmba.exe Jbghpc32.exe File opened for modification C:\Windows\SysWOW64\Ibagmiie.exe Ifjfhh32.exe File created C:\Windows\SysWOW64\Bgdemb32.exe Babcil32.exe File opened for modification C:\Windows\SysWOW64\Cbkfbcpb.exe Bgdemb32.exe File created C:\Windows\SysWOW64\Kbeibo32.exe Jdopjh32.exe File opened for modification C:\Windows\SysWOW64\Almanf32.exe Abcppq32.exe File opened for modification C:\Windows\SysWOW64\Namnmp32.exe Nggjog32.exe File opened for modification C:\Windows\SysWOW64\Lkgkqh32.exe Lncjgddf.exe File created C:\Windows\SysWOW64\Gjlfkj32.exe Gqdbbelf.exe File opened for modification C:\Windows\SysWOW64\Gpaihooo.exe Gpolbo32.exe File opened for modification C:\Windows\SysWOW64\Pbokab32.exe Pekkhn32.exe File created C:\Windows\SysWOW64\Klddgfbl.exe Klbgag32.exe File created C:\Windows\SysWOW64\Ficlmf32.exe Fhdocc32.exe File created C:\Windows\SysWOW64\Cfpfqiha.exe Cpcnhbjj.exe File opened for modification C:\Windows\SysWOW64\Ldfhgn32.exe Loiong32.exe File created C:\Windows\SysWOW64\Okneldkf.exe Oddmoj32.exe File opened for modification C:\Windows\SysWOW64\Agnkck32.exe Ababkdij.exe File created C:\Windows\SysWOW64\Cdicje32.exe Cjcolm32.exe File opened for modification C:\Windows\SysWOW64\Aghdco32.exe Ampojimo.exe File created C:\Windows\SysWOW64\Blqnfcom.dll Chmehhpn.exe File created C:\Windows\SysWOW64\Iaidib32.dll Omalpc32.exe File opened for modification C:\Windows\SysWOW64\Fmmmqnaf.exe Fceihh32.exe File opened for modification C:\Windows\SysWOW64\Kdlcbjfj.exe Kigoeagd.exe File created C:\Windows\SysWOW64\Eieplhlf.exe Ejdonq32.exe File opened for modification C:\Windows\SysWOW64\Hohcmjic.exe Hadcce32.exe File opened for modification C:\Windows\SysWOW64\Kfkamk32.exe Kfidgk32.exe File created C:\Windows\SysWOW64\Mgopje32.dll Jhjcbljf.exe File created C:\Windows\SysWOW64\Aneppo32.exe Acpkbf32.exe File created C:\Windows\SysWOW64\Bdpqcg32.exe Bjjmfn32.exe File opened for modification C:\Windows\SysWOW64\Fpandm32.exe Flaiho32.exe File created C:\Windows\SysWOW64\Gdiaha32.dll Onqdhh32.exe File created C:\Windows\SysWOW64\Ebiogg32.dll Aoenbkll.exe File created C:\Windows\SysWOW64\Dpogkqjo.dll Icdmqg32.exe File opened for modification C:\Windows\SysWOW64\Gkoplk32.exe Fjocbhbo.exe File opened for modification C:\Windows\SysWOW64\Gdfmkjlg.exe Gnlenp32.exe File created C:\Windows\SysWOW64\Eoconenj.exe Dpnbmi32.exe File opened for modification C:\Windows\SysWOW64\Ababkdij.exe Ahinbo32.exe File created C:\Windows\SysWOW64\Dfoamm32.dll Iooimi32.exe File created C:\Windows\SysWOW64\Qdhalj32.exe Qkpmcddi.exe File opened for modification C:\Windows\SysWOW64\Hobcgdjm.exe Gkdjaf32.exe File created C:\Windows\SysWOW64\Gdckjqqj.dll Jeolonem.exe File created C:\Windows\SysWOW64\Ncekce32.dll Dkgeao32.exe File created C:\Windows\SysWOW64\Ekahhn32.exe Djalnkbo.exe File opened for modification C:\Windows\SysWOW64\Emoaopnf.exe Dgbhgi32.exe File created C:\Windows\SysWOW64\Pbpjbe32.exe Peljha32.exe File created C:\Windows\SysWOW64\Cfmidc32.dll Bmddihfj.exe File created C:\Windows\SysWOW64\Giahndcf.exe Gkqhpmkg.exe File opened for modification C:\Windows\SysWOW64\Lnikmjdm.exe Koeajo32.exe File created C:\Windows\SysWOW64\Kfieepcf.dll Gqdbbelf.exe File opened for modification C:\Windows\SysWOW64\Ldanloba.exe Lfmnbjcg.exe File opened for modification C:\Windows\SysWOW64\Boldcj32.exe Bbecnipp.exe File created C:\Windows\SysWOW64\Pimcpf32.dll Gcdkdpih.exe File opened for modification C:\Windows\SysWOW64\Jabgkpad.exe Ibagmiie.exe File created C:\Windows\SysWOW64\Hilkfajn.dll Lanpml32.exe File created C:\Windows\SysWOW64\Aloekjod.exe Qlmhfj32.exe File opened for modification C:\Windows\SysWOW64\Cdiohhbm.exe Cbgbpp32.exe File created C:\Windows\SysWOW64\Nbpihgfg.dll Agikne32.exe File created C:\Windows\SysWOW64\Geollfdn.dll Khkbcopl.exe File opened for modification C:\Windows\SysWOW64\Aejfjocb.exe Aloekjod.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgbmffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbcqnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apeknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kagbdenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limghpqe.dll" Akbjidbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oggbfdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpmlbjd.dll" Qcccom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epcmidab.dll" Jcgbmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnggccfl.dll" Lhmafcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfbknl32.dll" Inkjfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmdpok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfahk32.dll" Copajm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdlcbjfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iabglnco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iofpnhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkjaaqb.dll" Gmqjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pehghhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhbnh32.dll" Dijppjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daeddlco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlihj32.dll" Eecfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imjgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbjlpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpjod32.dll" Kdcicipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dememj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejecf32.dll" Clpppmqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Habeni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmifcjif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgekcecd.dll" Bjhpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iabglnco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgphje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lagepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdokok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieogkc32.dll" Bgdcom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiojmgcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdadpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnlenp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgpcohcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll" Dkpjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhlejo32.dll" Jpojml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnbnchlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqgkadod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbkkbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll" Cemeoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chinkndp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjhcp32.dll" Ojkkah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfeplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjemge32.dll" Onakco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcnqkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blonbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojlnphpd.dll" Faopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmmqnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcgbmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbibeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjoeoedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdjn32.dll" Jjoeoedo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 1628 2648 e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe 91 PID 2648 wrote to memory of 1628 2648 e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe 91 PID 2648 wrote to memory of 1628 2648 e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe 91 PID 1628 wrote to memory of 2360 1628 Dafppp32.exe 92 PID 1628 wrote to memory of 2360 1628 Dafppp32.exe 92 PID 1628 wrote to memory of 2360 1628 Dafppp32.exe 92 PID 2360 wrote to memory of 2728 2360 Doagjc32.exe 93 PID 2360 wrote to memory of 2728 2360 Doagjc32.exe 93 PID 2360 wrote to memory of 2728 2360 Doagjc32.exe 93 PID 2728 wrote to memory of 1136 2728 Eqdpgk32.exe 94 PID 2728 wrote to memory of 1136 2728 Eqdpgk32.exe 94 PID 2728 wrote to memory of 1136 2728 Eqdpgk32.exe 94 PID 1136 wrote to memory of 4800 1136 Ekonpckp.exe 95 PID 1136 wrote to memory of 4800 1136 Ekonpckp.exe 95 PID 1136 wrote to memory of 4800 1136 Ekonpckp.exe 95 PID 4800 wrote to memory of 1892 4800 Galoohke.exe 96 PID 4800 wrote to memory of 1892 4800 Galoohke.exe 96 PID 4800 wrote to memory of 1892 4800 Galoohke.exe 96 PID 1892 wrote to memory of 4068 1892 Gpolbo32.exe 97 PID 1892 wrote to memory of 4068 1892 Gpolbo32.exe 97 PID 1892 wrote to memory of 4068 1892 Gpolbo32.exe 97 PID 4068 wrote to memory of 4772 4068 Gpaihooo.exe 98 PID 4068 wrote to memory of 4772 4068 Gpaihooo.exe 98 PID 4068 wrote to memory of 4772 4068 Gpaihooo.exe 98 PID 4772 wrote to memory of 4344 4772 Glhimp32.exe 99 PID 4772 wrote to memory of 4344 4772 Glhimp32.exe 99 PID 4772 wrote to memory of 4344 4772 Glhimp32.exe 99 PID 4344 wrote to memory of 3840 4344 Hioflcbj.exe 100 PID 4344 wrote to memory of 3840 4344 Hioflcbj.exe 100 PID 4344 wrote to memory of 3840 4344 Hioflcbj.exe 100 PID 3840 wrote to memory of 1084 3840 Haodle32.exe 101 PID 3840 wrote to memory of 1084 3840 Haodle32.exe 101 PID 3840 wrote to memory of 1084 3840 Haodle32.exe 101 PID 1084 wrote to memory of 2244 1084 Ihmfco32.exe 102 PID 1084 wrote to memory of 2244 1084 Ihmfco32.exe 102 PID 1084 wrote to memory of 2244 1084 Ihmfco32.exe 102 PID 2244 wrote to memory of 1528 2244 Ihpcinld.exe 103 PID 2244 wrote to memory of 1528 2244 Ihpcinld.exe 103 PID 2244 wrote to memory of 1528 2244 Ihpcinld.exe 103 PID 1528 wrote to memory of 2308 1528 Ibgdlg32.exe 104 PID 1528 wrote to memory of 2308 1528 Ibgdlg32.exe 104 PID 1528 wrote to memory of 2308 1528 Ibgdlg32.exe 104 PID 2308 wrote to memory of 1768 2308 Jbojlfdp.exe 105 PID 2308 wrote to memory of 1768 2308 Jbojlfdp.exe 105 PID 2308 wrote to memory of 1768 2308 Jbojlfdp.exe 105 PID 1768 wrote to memory of 2616 1768 Joekag32.exe 106 PID 1768 wrote to memory of 2616 1768 Joekag32.exe 106 PID 1768 wrote to memory of 2616 1768 Joekag32.exe 106 PID 2616 wrote to memory of 2468 2616 Kakmna32.exe 107 PID 2616 wrote to memory of 2468 2616 Kakmna32.exe 107 PID 2616 wrote to memory of 2468 2616 Kakmna32.exe 107 PID 2468 wrote to memory of 1020 2468 Kekbjo32.exe 108 PID 2468 wrote to memory of 1020 2468 Kekbjo32.exe 108 PID 2468 wrote to memory of 1020 2468 Kekbjo32.exe 108 PID 1020 wrote to memory of 368 1020 Kpccmhdg.exe 109 PID 1020 wrote to memory of 368 1020 Kpccmhdg.exe 109 PID 1020 wrote to memory of 368 1020 Kpccmhdg.exe 109 PID 368 wrote to memory of 4532 368 Laiipofp.exe 110 PID 368 wrote to memory of 4532 368 Laiipofp.exe 110 PID 368 wrote to memory of 4532 368 Laiipofp.exe 110 PID 4532 wrote to memory of 3180 4532 Loofnccf.exe 111 PID 4532 wrote to memory of 3180 4532 Loofnccf.exe 111 PID 4532 wrote to memory of 3180 4532 Loofnccf.exe 111 PID 3180 wrote to memory of 2264 3180 Lcmodajm.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e0b815d739002a37a6ecc20bc3650730_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe23⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe24⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe25⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe26⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe29⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe31⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe32⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe34⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe35⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe36⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe37⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe38⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe39⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe40⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Babcil32.exeC:\Windows\system32\Babcil32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe43⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe44⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe46⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe48⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe49⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe50⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe51⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe52⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe55⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe56⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe57⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Hjolie32.exeC:\Windows\system32\Hjolie32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe59⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe61⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe62⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe63⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe65⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe66⤵PID:392
-
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe67⤵PID:4648
-
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe68⤵PID:3096
-
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe69⤵PID:5160
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe70⤵PID:5212
-
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe71⤵PID:5252
-
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe72⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe73⤵PID:5340
-
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe74⤵PID:5380
-
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe75⤵PID:5428
-
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe76⤵PID:5500
-
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe78⤵PID:5620
-
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe79⤵PID:5672
-
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe80⤵PID:5716
-
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe81⤵PID:5764
-
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe82⤵PID:5812
-
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe83⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe85⤵PID:5960
-
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe86⤵PID:6004
-
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe87⤵PID:6044
-
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe89⤵PID:6136
-
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe90⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe91⤵PID:5196
-
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe92⤵PID:5368
-
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe93⤵PID:5396
-
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe94⤵
- Drops file in System32 directory
PID:5584 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe95⤵PID:5664
-
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe96⤵PID:5744
-
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe97⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe98⤵PID:5908
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe99⤵PID:5940
-
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe100⤵PID:6040
-
C:\Windows\SysWOW64\Ddekmo32.exeC:\Windows\system32\Ddekmo32.exe101⤵PID:6056
-
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe102⤵PID:3484
-
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe103⤵PID:5296
-
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe104⤵PID:5388
-
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe105⤵PID:5484
-
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe106⤵PID:5648
-
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe107⤵PID:5772
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe108⤵PID:2780
-
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe109⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe110⤵PID:6032
-
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe111⤵PID:4108
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe112⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe113⤵PID:5508
-
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe115⤵PID:5280
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe116⤵PID:6080
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe117⤵PID:5336
-
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe119⤵PID:6012
-
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe120⤵PID:5412
-
C:\Windows\SysWOW64\Hqkjaifk.exeC:\Windows\system32\Hqkjaifk.exe121⤵PID:5996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-