Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 20:23
Behavioral task
behavioral1
Sample
2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
2a83aa8b17bf91993ea2d6f7fcdfff00
-
SHA1
79574d4e50e225245dc02e2cc9e9a843f88ba3f5
-
SHA256
515031942866e2c75814592f9102ffe395d6ac79935595a1430825c46ae955ea
-
SHA512
847a63d0c32d0c4b39acda21a3c007f3721ca8fe80ebe5ab8e46319e1bc03aed392d73abe3ffcb2813a274a7327b5c397517d1124bf7ff6691408c4ea90a0398
-
SSDEEP
49152:vOaSHFaZRBEYyqmS2DiHPKQgmZUnaUgpC7jvha51P4wzlF65CEYQA5j4:vOaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnakhkol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohehq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbdbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaompd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopffec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbefdijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojiqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daolnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffddka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcdbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajnfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niipjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbmncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnalhii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdbmhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohoigfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiigadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqgedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmoiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paegjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iemppiab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclkee32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022f2b-7.dat family_berbew behavioral2/files/0x0007000000023437-15.dat family_berbew behavioral2/files/0x000700000002343a-24.dat family_berbew behavioral2/files/0x000700000002343c-32.dat family_berbew behavioral2/files/0x000700000002343e-40.dat family_berbew behavioral2/files/0x0007000000023440-47.dat family_berbew behavioral2/files/0x0007000000023442-55.dat family_berbew behavioral2/files/0x0007000000023444-64.dat family_berbew behavioral2/files/0x0007000000023446-72.dat family_berbew behavioral2/files/0x0007000000023447-80.dat family_berbew behavioral2/files/0x0007000000023449-88.dat family_berbew behavioral2/files/0x000700000002344e-96.dat family_berbew behavioral2/files/0x0003000000021ebc-112.dat family_berbew behavioral2/files/0x0007000000023455-126.dat family_berbew behavioral2/files/0x0007000000023457-136.dat family_berbew behavioral2/files/0x0007000000023459-144.dat family_berbew behavioral2/files/0x000700000002345b-152.dat family_berbew behavioral2/files/0x000700000002345e-168.dat family_berbew behavioral2/files/0x0007000000023460-176.dat family_berbew behavioral2/files/0x0007000000023464-185.dat family_berbew behavioral2/files/0x0007000000023468-208.dat family_berbew behavioral2/files/0x000700000002346a-215.dat family_berbew behavioral2/files/0x0007000000023466-200.dat family_berbew behavioral2/files/0x0007000000023462-184.dat family_berbew behavioral2/files/0x000700000002345e-162.dat family_berbew behavioral2/files/0x0007000000023453-120.dat family_berbew behavioral2/files/0x0007000000023450-104.dat family_berbew behavioral2/files/0x000700000002346c-224.dat family_berbew behavioral2/files/0x000b00000002338f-240.dat family_berbew behavioral2/files/0x0007000000023470-247.dat family_berbew behavioral2/files/0x000800000002346e-256.dat family_berbew behavioral2/files/0x000a000000023386-232.dat family_berbew behavioral2/files/0x0007000000023487-318.dat family_berbew behavioral2/files/0x000a000000023384-336.dat family_berbew behavioral2/files/0x0009000000023388-348.dat family_berbew behavioral2/files/0x00080000000233aa-366.dat family_berbew behavioral2/files/0x000700000002349a-413.dat family_berbew behavioral2/files/0x00070000000234aa-463.dat family_berbew behavioral2/files/0x00070000000234b4-493.dat family_berbew behavioral2/files/0x00070000000234b9-504.dat family_berbew behavioral2/files/0x00070000000234c6-540.dat family_berbew behavioral2/files/0x000900000002338a-528.dat family_berbew behavioral2/files/0x00070000000234cc-572.dat family_berbew behavioral2/files/0x00070000000234d3-604.dat family_berbew behavioral2/files/0x00070000000234df-644.dat family_berbew behavioral2/files/0x00070000000234f5-714.dat family_berbew behavioral2/files/0x00070000000234fe-740.dat family_berbew behavioral2/files/0x0007000000023506-766.dat family_berbew behavioral2/files/0x0007000000023516-817.dat family_berbew behavioral2/files/0x000a000000023392-516.dat family_berbew behavioral2/files/0x0007000000023481-300.dat family_berbew behavioral2/files/0x000700000002352e-903.dat family_berbew behavioral2/files/0x0007000000023534-926.dat family_berbew behavioral2/files/0x000700000002352c-894.dat family_berbew behavioral2/files/0x000700000002353c-954.dat family_berbew behavioral2/files/0x0007000000023542-973.dat family_berbew behavioral2/files/0x0007000000023548-998.dat family_berbew behavioral2/files/0x0007000000023554-1041.dat family_berbew behavioral2/files/0x0007000000023566-1105.dat family_berbew behavioral2/files/0x0007000000023593-1256.dat family_berbew behavioral2/files/0x0007000000023599-1275.dat family_berbew behavioral2/files/0x00070000000235ad-1351.dat family_berbew behavioral2/files/0x00070000000235b1-1366.dat family_berbew behavioral2/files/0x00070000000235b9-1396.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 936 Fjhmgeao.exe 3740 Fqaeco32.exe 3488 Gcbnejem.exe 4136 Gjlfbd32.exe 748 Gqfooodg.exe 3260 Gppekj32.exe 2076 Hbanme32.exe 4940 Hpenfjad.exe 3268 Himcoo32.exe 3024 Hjolnb32.exe 2560 Ipnalhii.exe 804 Ipckgh32.exe 2292 Iikopmkd.exe 1068 Ijkljp32.exe 3880 Imihfl32.exe 2528 Jagqlj32.exe 1792 Jbhmdbnp.exe 1624 Jibeql32.exe 1896 Jfffjqdf.exe 448 Kmegbjgn.exe 3432 Kgmlkp32.exe 3240 Kacphh32.exe 812 Kkkdan32.exe 3936 Kdcijcke.exe 2868 Kknafn32.exe 1160 Kmlnbi32.exe 4480 Kgdbkohf.exe 3708 Kmnjhioc.exe 3676 Mdmegp32.exe 4204 Mcbahlip.exe 2304 Ndbnboqb.exe 1536 Nklfoi32.exe 4704 Nafokcol.exe 1596 Ncgkcl32.exe 4268 Nkncdifl.exe 916 Nnmopdep.exe 4440 Nkqpjidj.exe 2256 Nbkhfc32.exe 4908 Nggqoj32.exe 3552 Odpjcm32.exe 3964 Okjbpglo.exe 816 Onholckc.exe 1172 Odbgim32.exe 2464 Obfhba32.exe 4664 Ocgdji32.exe 4488 Okolkg32.exe 5108 Oqkdcn32.exe 3272 Pgemphmn.exe 652 Pbkamqmd.exe 1164 Pclneicb.exe 1468 Pbmncp32.exe 540 Pcojkhap.exe 3996 Pjhbgb32.exe 3560 Pengdk32.exe 4444 Pjkombfj.exe 3536 Paegjl32.exe 1408 Pgopffec.exe 4620 Pagdol32.exe 2148 Qgallfcq.exe 4572 Qnkdhpjn.exe 1956 Qeemej32.exe 5064 Qloebdig.exe 396 Qbimoo32.exe 2372 Agffge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcblpdgg.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Lcggio32.exe Lnjnqh32.exe File created C:\Windows\SysWOW64\Kpkbnj32.dll Mcpcdg32.exe File created C:\Windows\SysWOW64\Iejcji32.exe Icifbang.exe File created C:\Windows\SysWOW64\Gkobjpin.exe Gafmaj32.exe File created C:\Windows\SysWOW64\Oebflhaf.exe Opemca32.exe File created C:\Windows\SysWOW64\Jllhpkfk.exe Jafdcbge.exe File opened for modification C:\Windows\SysWOW64\Dpgnjo32.exe Djjebh32.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Ompfej32.exe File created C:\Windows\SysWOW64\Ecoangbg.exe Eleiam32.exe File created C:\Windows\SysWOW64\Pmannhhj.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Kjmmepfj.exe Kbbhqn32.exe File created C:\Windows\SysWOW64\Cmcgolla.dll Gejopl32.exe File created C:\Windows\SysWOW64\Qmfqknfm.dll Lnoaaaad.exe File created C:\Windows\SysWOW64\Mghpbg32.dll Kacphh32.exe File created C:\Windows\SysWOW64\Cjcjni32.dll Phelcc32.exe File created C:\Windows\SysWOW64\Abdkep32.dll Eiahnnph.exe File created C:\Windows\SysWOW64\Ggcjqj32.dll Imihfl32.exe File created C:\Windows\SysWOW64\Jibeql32.exe Jbhmdbnp.exe File created C:\Windows\SysWOW64\Ookjdn32.exe Oebflhaf.exe File created C:\Windows\SysWOW64\Hnodaecc.exe Hgelek32.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dmennnni.exe File created C:\Windows\SysWOW64\Ngndaccj.exe Njjdho32.exe File created C:\Windows\SysWOW64\Kbgfhnhi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Glhonj32.exe File created C:\Windows\SysWOW64\Ehjhee32.dll Fnaokmco.exe File created C:\Windows\SysWOW64\Gnhnaf32.exe Ghkeio32.exe File opened for modification C:\Windows\SysWOW64\Fgoakc32.exe Fqeioiam.exe File opened for modification C:\Windows\SysWOW64\Jbepme32.exe Jllhpkfk.exe File created C:\Windows\SysWOW64\Bhfonc32.exe Behbag32.exe File created C:\Windows\SysWOW64\Jpkbko32.dll Inainbcn.exe File opened for modification C:\Windows\SysWOW64\Caageq32.exe Cdmfllhn.exe File created C:\Windows\SysWOW64\Iefioj32.exe Hbgmcnhf.exe File opened for modification C:\Windows\SysWOW64\Npcoakfp.exe Menjdbgj.exe File opened for modification C:\Windows\SysWOW64\Aonhghjl.exe Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Pjhbgb32.exe Pcojkhap.exe File created C:\Windows\SysWOW64\Moobbb32.exe Mhdjehhj.exe File opened for modification C:\Windows\SysWOW64\Piocecgj.exe Process not Found File created C:\Windows\SysWOW64\Ingbah32.dll Lingibiq.exe File created C:\Windows\SysWOW64\Ehighp32.dll Ihbdplfi.exe File created C:\Windows\SysWOW64\Elekoe32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dkfadkgf.exe Digehphc.exe File created C:\Windows\SysWOW64\Ddklbd32.exe Process not Found File created C:\Windows\SysWOW64\Flgmek32.dll Bbnpqk32.exe File created C:\Windows\SysWOW64\Ecnpbjmi.dll Hbgmcnhf.exe File opened for modification C:\Windows\SysWOW64\Gohaeo32.exe Gdbmhf32.exe File created C:\Windows\SysWOW64\Kbpkkn32.exe Kiggbhda.exe File created C:\Windows\SysWOW64\Kfkklk32.dll Process not Found File created C:\Windows\SysWOW64\Kbghfc32.exe Kiodmn32.exe File opened for modification C:\Windows\SysWOW64\Mjokgg32.exe Mgaokl32.exe File opened for modification C:\Windows\SysWOW64\Peahgl32.exe Oogpjbbb.exe File created C:\Windows\SysWOW64\Mfenglqf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ofcmfodb.exe Odapnf32.exe File opened for modification C:\Windows\SysWOW64\Hcpojd32.exe Hlegnjbm.exe File created C:\Windows\SysWOW64\Gohaeo32.exe Gdbmhf32.exe File created C:\Windows\SysWOW64\Liaolo32.dll Bhamkipi.exe File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Gijmad32.exe Gbpedjnb.exe File created C:\Windows\SysWOW64\Eelcja32.dll Eeidoc32.exe File opened for modification C:\Windows\SysWOW64\Acmobchj.exe Alcfei32.exe File created C:\Windows\SysWOW64\Fnoimo32.dll Fbfcmhpg.exe File created C:\Windows\SysWOW64\Fideeaco.exe Fbjmhh32.exe File opened for modification C:\Windows\SysWOW64\Lmdnbn32.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Bpenhh32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 11900 5568 Process not Found 1307 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll" Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cppnfc32.dll" Gpaqbbld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjemflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diicml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbicpfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkljak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemic32.dll" Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbdnnae.dll" Kgknhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcckk32.dll" Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdelednc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdjapoo.dll" Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leckbi32.dll" Qjnkcekm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll" Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnenbk32.dll" Camphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnoeha32.dll" Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmhgmmbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfankifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll" Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkddhpn.dll" Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffqhcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbmlmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniggbmk.dll" Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeegfibg.dll" Dhikci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfgko32.dll" Lhnhajba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Megdccmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll" Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll" Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoefilfc.dll" Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinnnm32.dll" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkljak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjbebh.dll" Hmcojh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 936 4596 2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe 82 PID 4596 wrote to memory of 936 4596 2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe 82 PID 4596 wrote to memory of 936 4596 2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe 82 PID 936 wrote to memory of 3740 936 Fjhmgeao.exe 83 PID 936 wrote to memory of 3740 936 Fjhmgeao.exe 83 PID 936 wrote to memory of 3740 936 Fjhmgeao.exe 83 PID 3740 wrote to memory of 3488 3740 Fqaeco32.exe 84 PID 3740 wrote to memory of 3488 3740 Fqaeco32.exe 84 PID 3740 wrote to memory of 3488 3740 Fqaeco32.exe 84 PID 3488 wrote to memory of 4136 3488 Gcbnejem.exe 85 PID 3488 wrote to memory of 4136 3488 Gcbnejem.exe 85 PID 3488 wrote to memory of 4136 3488 Gcbnejem.exe 85 PID 4136 wrote to memory of 748 4136 Gjlfbd32.exe 87 PID 4136 wrote to memory of 748 4136 Gjlfbd32.exe 87 PID 4136 wrote to memory of 748 4136 Gjlfbd32.exe 87 PID 748 wrote to memory of 3260 748 Gqfooodg.exe 88 PID 748 wrote to memory of 3260 748 Gqfooodg.exe 88 PID 748 wrote to memory of 3260 748 Gqfooodg.exe 88 PID 3260 wrote to memory of 2076 3260 Gppekj32.exe 90 PID 3260 wrote to memory of 2076 3260 Gppekj32.exe 90 PID 3260 wrote to memory of 2076 3260 Gppekj32.exe 90 PID 2076 wrote to memory of 4940 2076 Hbanme32.exe 92 PID 2076 wrote to memory of 4940 2076 Hbanme32.exe 92 PID 2076 wrote to memory of 4940 2076 Hbanme32.exe 92 PID 4940 wrote to memory of 3268 4940 Hpenfjad.exe 93 PID 4940 wrote to memory of 3268 4940 Hpenfjad.exe 93 PID 4940 wrote to memory of 3268 4940 Hpenfjad.exe 93 PID 3268 wrote to memory of 3024 3268 Himcoo32.exe 94 PID 3268 wrote to memory of 3024 3268 Himcoo32.exe 94 PID 3268 wrote to memory of 3024 3268 Himcoo32.exe 94 PID 3024 wrote to memory of 2560 3024 Hjolnb32.exe 95 PID 3024 wrote to memory of 2560 3024 Hjolnb32.exe 95 PID 3024 wrote to memory of 2560 3024 Hjolnb32.exe 95 PID 2560 wrote to memory of 804 2560 Ipnalhii.exe 96 PID 2560 wrote to memory of 804 2560 Ipnalhii.exe 96 PID 2560 wrote to memory of 804 2560 Ipnalhii.exe 96 PID 804 wrote to memory of 2292 804 Ipckgh32.exe 97 PID 804 wrote to memory of 2292 804 Ipckgh32.exe 97 PID 804 wrote to memory of 2292 804 Ipckgh32.exe 97 PID 2292 wrote to memory of 1068 2292 Iikopmkd.exe 98 PID 2292 wrote to memory of 1068 2292 Iikopmkd.exe 98 PID 2292 wrote to memory of 1068 2292 Iikopmkd.exe 98 PID 1068 wrote to memory of 3880 1068 Ijkljp32.exe 99 PID 1068 wrote to memory of 3880 1068 Ijkljp32.exe 99 PID 1068 wrote to memory of 3880 1068 Ijkljp32.exe 99 PID 3880 wrote to memory of 2528 3880 Imihfl32.exe 100 PID 3880 wrote to memory of 2528 3880 Imihfl32.exe 100 PID 3880 wrote to memory of 2528 3880 Imihfl32.exe 100 PID 2528 wrote to memory of 1792 2528 Jagqlj32.exe 101 PID 2528 wrote to memory of 1792 2528 Jagqlj32.exe 101 PID 2528 wrote to memory of 1792 2528 Jagqlj32.exe 101 PID 1792 wrote to memory of 1624 1792 Jbhmdbnp.exe 102 PID 1792 wrote to memory of 1624 1792 Jbhmdbnp.exe 102 PID 1792 wrote to memory of 1624 1792 Jbhmdbnp.exe 102 PID 1624 wrote to memory of 1896 1624 Jibeql32.exe 103 PID 1624 wrote to memory of 1896 1624 Jibeql32.exe 103 PID 1624 wrote to memory of 1896 1624 Jibeql32.exe 103 PID 1896 wrote to memory of 448 1896 Jfffjqdf.exe 104 PID 1896 wrote to memory of 448 1896 Jfffjqdf.exe 104 PID 1896 wrote to memory of 448 1896 Jfffjqdf.exe 104 PID 448 wrote to memory of 3432 448 Kmegbjgn.exe 105 PID 448 wrote to memory of 3432 448 Kmegbjgn.exe 105 PID 448 wrote to memory of 3432 448 Kmegbjgn.exe 105 PID 3432 wrote to memory of 3240 3432 Kgmlkp32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2a83aa8b17bf91993ea2d6f7fcdfff00_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe24⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe25⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe26⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe27⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe28⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe29⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe30⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe32⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe33⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe34⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe35⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe36⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe37⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe38⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe39⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe40⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe41⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe42⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe44⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe45⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe46⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe47⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe48⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe49⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe50⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe51⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe54⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe55⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe56⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe59⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe60⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe61⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe62⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe63⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe65⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe66⤵PID:4684
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe67⤵PID:2288
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe68⤵PID:5132
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe69⤵PID:5176
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe70⤵PID:5216
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe71⤵PID:5256
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe72⤵PID:5296
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe73⤵PID:5336
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe74⤵PID:5376
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe75⤵PID:5416
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe76⤵PID:5456
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5508 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe78⤵PID:5548
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe79⤵PID:5588
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe80⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe81⤵PID:5672
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe82⤵PID:5732
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe83⤵PID:5788
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe84⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe85⤵PID:5896
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe86⤵PID:5940
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe87⤵PID:5980
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe88⤵PID:6020
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe89⤵PID:6064
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe90⤵PID:6104
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe91⤵PID:5140
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe92⤵PID:5208
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe93⤵PID:5264
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe94⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe95⤵PID:3856
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe96⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe98⤵PID:3296
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe99⤵PID:2428
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe100⤵PID:5664
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe101⤵PID:5648
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe102⤵PID:5824
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe103⤵PID:5748
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe104⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe105⤵PID:6012
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe106⤵PID:5964
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe107⤵PID:5908
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe108⤵PID:5224
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe110⤵PID:5408
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe111⤵PID:5576
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe112⤵PID:5620
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe113⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe114⤵
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe115⤵
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe116⤵PID:6060
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe117⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe118⤵PID:3448
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe119⤵PID:6072
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe120⤵PID:4492
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe121⤵PID:4852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-