Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 20:47
Behavioral task
behavioral1
Sample
2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe
-
Size
229KB
-
MD5
2ff4e1f44770a0f19e1e920dad597ba0
-
SHA1
0c05008e80bd2c81b4a53365a9f1092fd7eb1b0e
-
SHA256
60039391edd4379e6b6dbdd1f49706f233abc3a75b1b54701f6ea9ca5caedbdd
-
SHA512
f5d42ccf10b1d44833f9ac17a2782c5c6fb541d597fcd23952e0aca55e1d4fa7d6a2241c449501dfd8e17e15de6be9010a730349f0cbab8b3b0fd9fc2833d370
-
SSDEEP
6144:rRhOubhRMweStpvu271+HZ/pvkym/89bYEwPhCKvav:rRNM8Tb7AIfFfvav
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjifhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cphndc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghelfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjfeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afgkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcnhjnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjnamh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igonafba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmnace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajecmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplmop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhloponc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b000000012286-5.dat family_berbew behavioral1/files/0x0008000000015cb8-27.dat family_berbew behavioral1/files/0x0007000000015cdf-33.dat family_berbew behavioral1/files/0x0007000000015cf0-46.dat family_berbew behavioral1/files/0x0008000000016455-59.dat family_berbew behavioral1/files/0x00060000000165e1-79.dat family_berbew behavioral1/files/0x0006000000016a8a-86.dat family_berbew behavioral1/files/0x0006000000016c6f-99.dat family_berbew behavioral1/files/0x0006000000016cc1-112.dat family_berbew behavioral1/files/0x0006000000016d17-129.dat family_berbew behavioral1/files/0x0006000000016d32-139.dat family_berbew behavioral1/files/0x0006000000016d43-159.dat family_berbew behavioral1/files/0x0037000000015693-166.dat family_berbew behavioral1/files/0x0006000000016d64-179.dat family_berbew behavioral1/files/0x0006000000016d6f-197.dat family_berbew behavioral1/files/0x0006000000016d9f-212.dat family_berbew behavioral1/files/0x0006000000016dc8-221.dat family_berbew behavioral1/files/0x0006000000016ddc-230.dat family_berbew behavioral1/files/0x00060000000171d7-240.dat family_berbew behavioral1/files/0x00060000000173ca-250.dat family_berbew behavioral1/files/0x00060000000173f9-261.dat family_berbew behavioral1/files/0x0014000000018668-271.dat family_berbew behavioral1/files/0x000500000001870e-282.dat family_berbew behavioral1/files/0x000500000001871f-291.dat family_berbew behavioral1/files/0x0005000000018784-302.dat family_berbew behavioral1/files/0x000500000001879e-313.dat family_berbew behavioral1/memory/1828-316-0x0000000000320000-0x0000000000362000-memory.dmp family_berbew behavioral1/files/0x0006000000018b86-326.dat family_berbew behavioral1/files/0x0006000000018bed-335.dat family_berbew behavioral1/files/0x0005000000019314-346.dat family_berbew behavioral1/memory/2336-350-0x0000000000260000-0x00000000002A2000-memory.dmp family_berbew behavioral1/memory/2336-349-0x0000000000260000-0x00000000002A2000-memory.dmp family_berbew behavioral1/files/0x00050000000193d9-359.dat family_berbew behavioral1/files/0x00050000000193ff-370.dat family_berbew behavioral1/memory/2620-371-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew behavioral1/files/0x000500000001942b-379.dat family_berbew behavioral1/files/0x0005000000019470-390.dat family_berbew behavioral1/files/0x00050000000194b3-401.dat family_berbew behavioral1/files/0x000500000001952d-412.dat family_berbew behavioral1/files/0x0005000000019627-421.dat family_berbew behavioral1/files/0x000500000001962b-434.dat family_berbew behavioral1/files/0x000500000001962f-445.dat family_berbew behavioral1/memory/2000-449-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew behavioral1/memory/2000-448-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew behavioral1/files/0x0005000000019635-456.dat family_berbew behavioral1/files/0x000500000001963b-467.dat family_berbew behavioral1/files/0x000500000001963f-477.dat family_berbew behavioral1/files/0x0005000000019641-489.dat family_berbew behavioral1/memory/1964-503-0x00000000002D0000-0x0000000000312000-memory.dmp family_berbew behavioral1/files/0x0005000000019643-502.dat family_berbew behavioral1/files/0x00050000000196bf-510.dat family_berbew behavioral1/files/0x00050000000196c4-522.dat family_berbew behavioral1/files/0x000500000001970d-530.dat family_berbew behavioral1/files/0x0005000000019859-542.dat family_berbew behavioral1/files/0x000500000001991d-554.dat family_berbew behavioral1/files/0x0005000000019afe-565.dat family_berbew behavioral1/files/0x0005000000019c6c-574.dat family_berbew behavioral1/files/0x0005000000019d63-583.dat family_berbew behavioral1/files/0x0005000000019dd5-592.dat family_berbew behavioral1/files/0x0005000000019f31-607.dat family_berbew behavioral1/files/0x000500000001a05a-618.dat family_berbew behavioral1/files/0x000500000001a0c1-630.dat family_berbew behavioral1/files/0x000500000001a3de-638.dat family_berbew behavioral1/files/0x000500000001a473-648.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1976 Pmqdkj32.exe 2640 Pnbacbac.exe 2712 Pbmmcq32.exe 1276 Qlhnbf32.exe 2520 Qdccfh32.exe 2492 Qmlgonbe.exe 3028 Ajphib32.exe 2948 Aplpai32.exe 864 Aiedjneg.exe 2584 Adjigg32.exe 1948 Alenki32.exe 2752 Afkbib32.exe 1924 Apcfahio.exe 1664 Ahokfj32.exe 1284 Bagpopmj.exe 2920 Bingpmnl.exe 2100 Bbflib32.exe 1900 Bkaqmeah.exe 2376 Begeknan.exe 1528 Bghabf32.exe 596 Bpafkknm.exe 2804 Bgknheej.exe 3036 Bdooajdc.exe 2904 Cljcelan.exe 1828 Cfbhnaho.exe 2888 Cphlljge.exe 1588 Chcqpmep.exe 2336 Comimg32.exe 2692 Chemfl32.exe 2620 Cckace32.exe 2788 Ckffgg32.exe 2776 Cndbcc32.exe 2568 Dodonf32.exe 1600 Dqelenlc.exe 1144 Dgodbh32.exe 1428 Dqhhknjp.exe 2000 Dcfdgiid.exe 468 Dchali32.exe 2832 Dfgmhd32.exe 1984 Dqlafm32.exe 2244 Doobajme.exe 1964 Eqonkmdh.exe 1716 Ejgcdb32.exe 1124 Emeopn32.exe 1696 Ebbgid32.exe 492 Eeqdep32.exe 2044 Eilpeooq.exe 604 Enihne32.exe 3004 Eecqjpee.exe 2396 Egamfkdh.exe 1724 Epieghdk.exe 2232 Eajaoq32.exe 2760 Eiaiqn32.exe 2704 Ejbfhfaj.exe 2504 Ebinic32.exe 1148 Fehjeo32.exe 2516 Fhffaj32.exe 2980 Fnpnndgp.exe 2964 Fmcoja32.exe 2016 Fejgko32.exe 1988 Fhhcgj32.exe 2596 Fjgoce32.exe 2856 Faagpp32.exe 752 Fhkpmjln.exe -
Loads dropped DLL 64 IoCs
pid Process 616 2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe 616 2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe 1976 Pmqdkj32.exe 1976 Pmqdkj32.exe 2640 Pnbacbac.exe 2640 Pnbacbac.exe 2712 Pbmmcq32.exe 2712 Pbmmcq32.exe 1276 Qlhnbf32.exe 1276 Qlhnbf32.exe 2520 Qdccfh32.exe 2520 Qdccfh32.exe 2492 Qmlgonbe.exe 2492 Qmlgonbe.exe 3028 Ajphib32.exe 3028 Ajphib32.exe 2948 Aplpai32.exe 2948 Aplpai32.exe 864 Aiedjneg.exe 864 Aiedjneg.exe 2584 Adjigg32.exe 2584 Adjigg32.exe 1948 Alenki32.exe 1948 Alenki32.exe 2752 Afkbib32.exe 2752 Afkbib32.exe 1924 Apcfahio.exe 1924 Apcfahio.exe 1664 Ahokfj32.exe 1664 Ahokfj32.exe 1284 Bagpopmj.exe 1284 Bagpopmj.exe 2920 Bingpmnl.exe 2920 Bingpmnl.exe 2100 Bbflib32.exe 2100 Bbflib32.exe 1900 Bkaqmeah.exe 1900 Bkaqmeah.exe 2376 Begeknan.exe 2376 Begeknan.exe 1528 Bghabf32.exe 1528 Bghabf32.exe 596 Bpafkknm.exe 596 Bpafkknm.exe 2804 Bgknheej.exe 2804 Bgknheej.exe 3036 Bdooajdc.exe 3036 Bdooajdc.exe 2904 Cljcelan.exe 2904 Cljcelan.exe 1828 Cfbhnaho.exe 1828 Cfbhnaho.exe 2888 Cphlljge.exe 2888 Cphlljge.exe 1588 Chcqpmep.exe 1588 Chcqpmep.exe 2336 Comimg32.exe 2336 Comimg32.exe 2692 Chemfl32.exe 2692 Chemfl32.exe 2620 Cckace32.exe 2620 Cckace32.exe 2788 Ckffgg32.exe 2788 Ckffgg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Clmbddgp.exe Cinfhigl.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Ombapedi.exe File created C:\Windows\SysWOW64\Lchkpi32.dll Egllae32.exe File created C:\Windows\SysWOW64\Kfbcbd32.exe Kohkfj32.exe File created C:\Windows\SysWOW64\Cckace32.exe Chemfl32.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Gioicn32.dll Aaolidlk.exe File created C:\Windows\SysWOW64\Pmnafl32.dll Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Mlcbenjb.exe Mhhfdo32.exe File created C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Fmjejphb.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lpphap32.exe File opened for modification C:\Windows\SysWOW64\Jnicmdli.exe Jkjfah32.exe File opened for modification C:\Windows\SysWOW64\Qkhpkoen.exe Qijdocfj.exe File created C:\Windows\SysWOW64\Inqcif32.exe Ijeghgoh.exe File opened for modification C:\Windows\SysWOW64\Kngfih32.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Bpooed32.dll Bemgilhh.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Eqbddk32.exe File opened for modification C:\Windows\SysWOW64\Biojif32.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Pheafa32.dll Comimg32.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Cppkph32.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Dookgcij.exe File created C:\Windows\SysWOW64\Bajomhbl.exe Bnkbam32.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Aplpai32.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Gbaileio.exe Glgaok32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Nlcnda32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Namqci32.exe Ncjqhmkm.exe File created C:\Windows\SysWOW64\Epieghdk.exe Egamfkdh.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dchali32.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Ejgcdb32.exe File created C:\Windows\SysWOW64\Hojgfemq.exe Hlljjjnm.exe File opened for modification C:\Windows\SysWOW64\Aekodi32.exe Anafhopc.exe File created C:\Windows\SysWOW64\Gdgphd32.dll Fpcqaf32.exe File opened for modification C:\Windows\SysWOW64\Ajgpbj32.exe Abphal32.exe File created C:\Windows\SysWOW64\Hpenlb32.dll Ckffgg32.exe File created C:\Windows\SysWOW64\Eppmppld.dll Mlkopcge.exe File created C:\Windows\SysWOW64\Npccpo32.exe Niikceid.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Lliflp32.exe File opened for modification C:\Windows\SysWOW64\Icmegf32.exe Ilcmjl32.exe File created C:\Windows\SysWOW64\Mjapln32.dll Hdlhjl32.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Pnajilng.exe File created C:\Windows\SysWOW64\Higeofeq.dll Ghcoqh32.exe File opened for modification C:\Windows\SysWOW64\Ndkmpe32.exe Namqci32.exe File created C:\Windows\SysWOW64\Mbbcbk32.dll Iimjmbae.exe File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Alnqqd32.exe File created C:\Windows\SysWOW64\Lmlhnagm.exe Ljmlbfhi.exe File created C:\Windows\SysWOW64\Llfifq32.exe Lihmjejl.exe File created C:\Windows\SysWOW64\Pjcabmga.exe Pgeefbhm.exe File created C:\Windows\SysWOW64\Peiepfgg.exe Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gogangdc.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File created C:\Windows\SysWOW64\Iakdqgfi.dll Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Fbmcbbki.exe Fpngfgle.exe File opened for modification C:\Windows\SysWOW64\Idmhkpml.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Jjojofgn.exe Jbgbni32.exe File opened for modification C:\Windows\SysWOW64\Kiijnq32.exe Jfknbe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5720 5916 WerFault.exe 597 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnffgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Bpleef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iompkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Pmqdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibddljof.dll" Lbiqfied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfpnmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdnepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acmhepko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckiigmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Namqci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peiepfgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knpemf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhdplq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehkbgdf.dll" Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okanklik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll" Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooclokl.dll" Kfbkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgbggnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmgechbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdgdempa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clmbddgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcfqoam.dll" Jgojpjem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qflhbhgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acfaeq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 616 wrote to memory of 1976 616 2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe 28 PID 616 wrote to memory of 1976 616 2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe 28 PID 616 wrote to memory of 1976 616 2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe 28 PID 616 wrote to memory of 1976 616 2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2640 1976 Pmqdkj32.exe 29 PID 1976 wrote to memory of 2640 1976 Pmqdkj32.exe 29 PID 1976 wrote to memory of 2640 1976 Pmqdkj32.exe 29 PID 1976 wrote to memory of 2640 1976 Pmqdkj32.exe 29 PID 2640 wrote to memory of 2712 2640 Pnbacbac.exe 30 PID 2640 wrote to memory of 2712 2640 Pnbacbac.exe 30 PID 2640 wrote to memory of 2712 2640 Pnbacbac.exe 30 PID 2640 wrote to memory of 2712 2640 Pnbacbac.exe 30 PID 2712 wrote to memory of 1276 2712 Pbmmcq32.exe 31 PID 2712 wrote to memory of 1276 2712 Pbmmcq32.exe 31 PID 2712 wrote to memory of 1276 2712 Pbmmcq32.exe 31 PID 2712 wrote to memory of 1276 2712 Pbmmcq32.exe 31 PID 1276 wrote to memory of 2520 1276 Qlhnbf32.exe 32 PID 1276 wrote to memory of 2520 1276 Qlhnbf32.exe 32 PID 1276 wrote to memory of 2520 1276 Qlhnbf32.exe 32 PID 1276 wrote to memory of 2520 1276 Qlhnbf32.exe 32 PID 2520 wrote to memory of 2492 2520 Qdccfh32.exe 33 PID 2520 wrote to memory of 2492 2520 Qdccfh32.exe 33 PID 2520 wrote to memory of 2492 2520 Qdccfh32.exe 33 PID 2520 wrote to memory of 2492 2520 Qdccfh32.exe 33 PID 2492 wrote to memory of 3028 2492 Qmlgonbe.exe 34 PID 2492 wrote to memory of 3028 2492 Qmlgonbe.exe 34 PID 2492 wrote to memory of 3028 2492 Qmlgonbe.exe 34 PID 2492 wrote to memory of 3028 2492 Qmlgonbe.exe 34 PID 3028 wrote to memory of 2948 3028 Ajphib32.exe 35 PID 3028 wrote to memory of 2948 3028 Ajphib32.exe 35 PID 3028 wrote to memory of 2948 3028 Ajphib32.exe 35 PID 3028 wrote to memory of 2948 3028 Ajphib32.exe 35 PID 2948 wrote to memory of 864 2948 Aplpai32.exe 36 PID 2948 wrote to memory of 864 2948 Aplpai32.exe 36 PID 2948 wrote to memory of 864 2948 Aplpai32.exe 36 PID 2948 wrote to memory of 864 2948 Aplpai32.exe 36 PID 864 wrote to memory of 2584 864 Aiedjneg.exe 37 PID 864 wrote to memory of 2584 864 Aiedjneg.exe 37 PID 864 wrote to memory of 2584 864 Aiedjneg.exe 37 PID 864 wrote to memory of 2584 864 Aiedjneg.exe 37 PID 2584 wrote to memory of 1948 2584 Adjigg32.exe 38 PID 2584 wrote to memory of 1948 2584 Adjigg32.exe 38 PID 2584 wrote to memory of 1948 2584 Adjigg32.exe 38 PID 2584 wrote to memory of 1948 2584 Adjigg32.exe 38 PID 1948 wrote to memory of 2752 1948 Alenki32.exe 39 PID 1948 wrote to memory of 2752 1948 Alenki32.exe 39 PID 1948 wrote to memory of 2752 1948 Alenki32.exe 39 PID 1948 wrote to memory of 2752 1948 Alenki32.exe 39 PID 2752 wrote to memory of 1924 2752 Afkbib32.exe 40 PID 2752 wrote to memory of 1924 2752 Afkbib32.exe 40 PID 2752 wrote to memory of 1924 2752 Afkbib32.exe 40 PID 2752 wrote to memory of 1924 2752 Afkbib32.exe 40 PID 1924 wrote to memory of 1664 1924 Apcfahio.exe 41 PID 1924 wrote to memory of 1664 1924 Apcfahio.exe 41 PID 1924 wrote to memory of 1664 1924 Apcfahio.exe 41 PID 1924 wrote to memory of 1664 1924 Apcfahio.exe 41 PID 1664 wrote to memory of 1284 1664 Ahokfj32.exe 42 PID 1664 wrote to memory of 1284 1664 Ahokfj32.exe 42 PID 1664 wrote to memory of 1284 1664 Ahokfj32.exe 42 PID 1664 wrote to memory of 1284 1664 Ahokfj32.exe 42 PID 1284 wrote to memory of 2920 1284 Bagpopmj.exe 43 PID 1284 wrote to memory of 2920 1284 Bagpopmj.exe 43 PID 1284 wrote to memory of 2920 1284 Bagpopmj.exe 43 PID 1284 wrote to memory of 2920 1284 Bagpopmj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2ff4e1f44770a0f19e1e920dad597ba0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe34⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe35⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe36⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe37⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe38⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe40⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe41⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe43⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe46⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe47⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe49⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe50⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe53⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe54⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe56⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe57⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe58⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe59⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe60⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe61⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe62⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe63⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe64⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe65⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe67⤵PID:2192
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe68⤵PID:408
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe70⤵PID:1236
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe71⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe72⤵PID:1492
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe73⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe74⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe75⤵PID:2600
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe76⤵PID:2544
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe77⤵PID:2512
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe78⤵PID:2592
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe79⤵PID:2008
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe80⤵PID:2864
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe81⤵PID:2080
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe82⤵PID:1312
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe83⤵PID:3032
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe84⤵PID:2320
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe85⤵PID:2236
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe86⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe87⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe88⤵PID:2928
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe89⤵PID:2224
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe90⤵PID:2604
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe91⤵PID:2852
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe92⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe93⤵PID:1748
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe94⤵PID:2968
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe95⤵
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe96⤵PID:2872
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe98⤵PID:2480
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe99⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1364 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe101⤵PID:2276
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe103⤵PID:1564
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe104⤵PID:2220
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe105⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe106⤵PID:3024
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe107⤵PID:1376
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe108⤵PID:1240
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe109⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe110⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe111⤵PID:1620
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe112⤵PID:2116
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe113⤵PID:1944
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe114⤵PID:1916
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe115⤵PID:1008
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe116⤵PID:1940
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe117⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe118⤵PID:2528
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe119⤵PID:2860
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe120⤵PID:800
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe121⤵
- Drops file in System32 directory
PID:356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-