Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/05/2024, 21:20
Behavioral task
behavioral1
Sample
3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe
-
Size
227KB
-
MD5
3ca6ed87a23f31ae7cf680d9aefa6740
-
SHA1
51aaa52155ddc92264dc9220a80cd9b048c95b91
-
SHA256
92b27169b5963a421113f46a5c99712d8d5dbd99afdfe432496f3fe2c18831ed
-
SHA512
065bd94e3ddfe569f698bb047b70e926cdf430c0d1086955b52aa1de466f2298d7c2d50434d012d8963037cd515c5e653e14b9e35c1ba24ce9ba3becd9a76494
-
SSDEEP
3072:5wq7Q5yo7Mf5e4FF/cLeyGpwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:G5yo7Mf/Bbgm7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlifadkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niqgof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkeofnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpebmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjmonac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flnlkgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpieggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfgahao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmefad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiolnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjdkllec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnlolhoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakjjcnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjmppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdekgjno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flapkmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdbnnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikapdqoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhibakmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmdbnnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmipmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdhlih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndebkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dphmloih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iejkhlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idmnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iecdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmpqbnmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpmegpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poinkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aokckm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjphfgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhcjilcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcqnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hijmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqpahkmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaklmhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpfnckhe.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001441e-5.dat family_berbew behavioral1/files/0x0009000000014a94-20.dat family_berbew behavioral1/files/0x0007000000014ec4-34.dat family_berbew behavioral1/files/0x0007000000015264-47.dat family_berbew behavioral1/files/0x0006000000016ccf-61.dat family_berbew behavioral1/files/0x0009000000014aec-75.dat family_berbew behavioral1/files/0x0006000000016d01-90.dat family_berbew behavioral1/files/0x0006000000016d36-105.dat family_berbew behavioral1/memory/2724-112-0x0000000000450000-0x0000000000493000-memory.dmp family_berbew behavioral1/files/0x0006000000016d4a-119.dat family_berbew behavioral1/files/0x0006000000016d55-141.dat family_berbew behavioral1/files/0x0006000000016d89-149.dat family_berbew behavioral1/files/0x000600000001704f-167.dat family_berbew behavioral1/files/0x000500000001868c-182.dat family_berbew behavioral1/files/0x00050000000186a0-197.dat family_berbew behavioral1/files/0x0006000000018ae8-217.dat family_berbew behavioral1/files/0x0006000000018b33-227.dat family_berbew behavioral1/memory/640-221-0x00000000002D0000-0x0000000000313000-memory.dmp family_berbew behavioral1/files/0x0006000000018b42-246.dat family_berbew behavioral1/files/0x0006000000018b6a-258.dat family_berbew behavioral1/files/0x0006000000018b96-267.dat family_berbew behavioral1/files/0x0006000000018d06-276.dat family_berbew behavioral1/files/0x0005000000019333-299.dat family_berbew behavioral1/files/0x00050000000193b0-316.dat family_berbew behavioral1/files/0x0005000000019473-338.dat family_berbew behavioral1/files/0x000500000001946b-331.dat family_berbew behavioral1/files/0x00050000000194a4-350.dat family_berbew behavioral1/files/0x00050000000194ee-381.dat family_berbew behavioral1/files/0x00050000000194e8-371.dat family_berbew behavioral1/files/0x00050000000194f2-391.dat family_berbew behavioral1/files/0x000500000001950c-401.dat family_berbew behavioral1/files/0x00050000000195a8-460.dat family_berbew behavioral1/files/0x00050000000195ff-481.dat family_berbew behavioral1/files/0x00050000000196d8-488.dat family_berbew behavioral1/files/0x0005000000019bd6-501.dat family_berbew behavioral1/files/0x0005000000019cba-523.dat family_berbew behavioral1/files/0x0005000000019f42-541.dat family_berbew behavioral1/files/0x0005000000019d4d-531.dat family_berbew behavioral1/files/0x000500000001a00c-550.dat family_berbew behavioral1/files/0x000500000001a04c-561.dat family_berbew behavioral1/files/0x000500000001a3c5-582.dat family_berbew behavioral1/files/0x000500000001a42b-615.dat family_berbew behavioral1/files/0x000500000001a441-625.dat family_berbew behavioral1/files/0x000500000001a445-638.dat family_berbew behavioral1/files/0x000500000001a44d-658.dat family_berbew behavioral1/files/0x000500000001a451-669.dat family_berbew behavioral1/files/0x000500000001a455-676.dat family_berbew behavioral1/files/0x000500000001a465-720.dat family_berbew behavioral1/files/0x000500000001a472-752.dat family_berbew behavioral1/files/0x000500000001ad27-824.dat family_berbew behavioral1/files/0x000500000001c652-831.dat family_berbew behavioral1/files/0x000500000001c6f9-845.dat family_berbew behavioral1/files/0x000500000001c721-854.dat family_berbew behavioral1/files/0x000500000001c82b-865.dat family_berbew behavioral1/files/0x000500000001c82f-875.dat family_berbew behavioral1/files/0x000500000001c834-888.dat family_berbew behavioral1/files/0x000500000001c849-941.dat family_berbew behavioral1/files/0x000500000001c84d-953.dat family_berbew behavioral1/files/0x000500000001c851-963.dat family_berbew behavioral1/files/0x000500000001c855-975.dat family_berbew behavioral1/files/0x000500000001c85a-984.dat family_berbew behavioral1/files/0x000400000001c8dd-1008.dat family_berbew behavioral1/files/0x000500000001c860-996.dat family_berbew behavioral1/files/0x000400000001c8e6-1029.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2172 Jhjphfgi.exe 3020 Jaeafklf.exe 1992 Jckgicnp.exe 2464 Kjglkm32.exe 2488 Kpcqnf32.exe 2784 Khoebi32.exe 2724 Kkoncdcp.exe 2388 Lnpgeopa.exe 2428 Lqcmmjko.exe 640 Lfpeeqig.exe 1664 Mkaghg32.exe 2168 Mejlalji.exe 1340 Mbnljqic.exe 2364 Mlkjne32.exe 3032 Ncfoch32.exe 2572 Nmqpam32.exe 584 Nfkapb32.exe 952 Oiljam32.exe 1840 Ooicid32.exe 1720 Ohcdhi32.exe 108 Oalhqohl.exe 2152 Oopijc32.exe 2680 Odmabj32.exe 2268 Omefkplm.exe 1984 Pljcllqe.exe 2184 Pnjofo32.exe 1580 Pgbdodnh.exe 2824 Pciddedl.exe 1676 Phfmllbd.exe 832 Pkdihhag.exe 2908 Qhjfgl32.exe 2484 Adcdbl32.exe 2632 Adfqgl32.exe 2376 Ajeeeblb.exe 2860 Acnjnh32.exe 2600 Aijbfo32.exe 2176 Bfncpcoc.exe 1920 Bkklhjnk.exe 1592 Bfqpecma.exe 564 Bgblmk32.exe 1712 Bnldjekl.exe 852 Bgdibkam.exe 1948 Bammlq32.exe 2648 Bkbaii32.exe 1056 Baojapfj.exe 980 Bgibnj32.exe 1224 Cmfkfa32.exe 1468 Cgkocj32.exe 708 Cjjkpe32.exe 1248 Cpfdhl32.exe 876 Ciohqa32.exe 2204 Cpiqmlfm.exe 2000 Cmmagpef.exe 1164 Cnnnnh32.exe 2756 Cehfkb32.exe 1336 Cpmjhk32.exe 2520 Daofpchf.exe 3004 Dhiomn32.exe 2160 Djgkii32.exe 2848 Dhkkbmnp.exe 2584 Doecog32.exe 2864 Dacpkc32.exe 2024 Dfphcj32.exe 2180 Dmjqpdje.exe -
Loads dropped DLL 64 IoCs
pid Process 2320 3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe 2320 3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe 2172 Jhjphfgi.exe 2172 Jhjphfgi.exe 3020 Jaeafklf.exe 3020 Jaeafklf.exe 1992 Jckgicnp.exe 1992 Jckgicnp.exe 2464 Kjglkm32.exe 2464 Kjglkm32.exe 2488 Kpcqnf32.exe 2488 Kpcqnf32.exe 2784 Khoebi32.exe 2784 Khoebi32.exe 2724 Kkoncdcp.exe 2724 Kkoncdcp.exe 2388 Lnpgeopa.exe 2388 Lnpgeopa.exe 2428 Lqcmmjko.exe 2428 Lqcmmjko.exe 640 Lfpeeqig.exe 640 Lfpeeqig.exe 1664 Mkaghg32.exe 1664 Mkaghg32.exe 2168 Mejlalji.exe 2168 Mejlalji.exe 1340 Mbnljqic.exe 1340 Mbnljqic.exe 2364 Mlkjne32.exe 2364 Mlkjne32.exe 3032 Ncfoch32.exe 3032 Ncfoch32.exe 2572 Nmqpam32.exe 2572 Nmqpam32.exe 584 Nfkapb32.exe 584 Nfkapb32.exe 952 Oiljam32.exe 952 Oiljam32.exe 1840 Ooicid32.exe 1840 Ooicid32.exe 1720 Ohcdhi32.exe 1720 Ohcdhi32.exe 108 Oalhqohl.exe 108 Oalhqohl.exe 2152 Oopijc32.exe 2152 Oopijc32.exe 2680 Odmabj32.exe 2680 Odmabj32.exe 2268 Omefkplm.exe 2268 Omefkplm.exe 1984 Pljcllqe.exe 1984 Pljcllqe.exe 2184 Pnjofo32.exe 2184 Pnjofo32.exe 1580 Pgbdodnh.exe 1580 Pgbdodnh.exe 2824 Pciddedl.exe 2824 Pciddedl.exe 1676 Phfmllbd.exe 1676 Phfmllbd.exe 832 Pkdihhag.exe 832 Pkdihhag.exe 2908 Qhjfgl32.exe 2908 Qhjfgl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aaklmhak.exe Ahchdb32.exe File created C:\Windows\SysWOW64\Cedhlopf.dll Kamlhl32.exe File opened for modification C:\Windows\SysWOW64\Bpboinpd.exe Aocbokia.exe File created C:\Windows\SysWOW64\Dpaqmnap.exe Dflmpebj.exe File created C:\Windows\SysWOW64\Pnngpaop.dll Feccqime.exe File created C:\Windows\SysWOW64\Lofoed32.dll Jaeafklf.exe File created C:\Windows\SysWOW64\Bjkeingq.dll Inbnhihl.exe File created C:\Windows\SysWOW64\Aaklmhak.exe Ahchdb32.exe File created C:\Windows\SysWOW64\Dqddmd32.exe Dkeoongd.exe File opened for modification C:\Windows\SysWOW64\Gedbfimc.exe Gllnnc32.exe File created C:\Windows\SysWOW64\Phfmllbd.exe Pciddedl.exe File created C:\Windows\SysWOW64\Cfoaho32.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Ndggib32.exe Ncfjajma.exe File created C:\Windows\SysWOW64\Jeoeclek.exe Jgkdigfa.exe File created C:\Windows\SysWOW64\Dhfljfho.dll Fipbhd32.exe File created C:\Windows\SysWOW64\Oojfnakl.exe Oogiha32.exe File created C:\Windows\SysWOW64\Fjiegbjj.dll Kdqifajl.exe File opened for modification C:\Windows\SysWOW64\Pjblcl32.exe Paghojip.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Ncnngfna.exe File created C:\Windows\SysWOW64\Mjeffc32.exe Mkpieggc.exe File created C:\Windows\SysWOW64\Jdmqnh32.dll Ibhieo32.exe File opened for modification C:\Windows\SysWOW64\Jadlgjjq.exe Jhlgnd32.exe File created C:\Windows\SysWOW64\Lojclibo.exe Lddoopbi.exe File created C:\Windows\SysWOW64\Gmmabb32.dll Kpfplo32.exe File created C:\Windows\SysWOW64\Dfchej32.dll Nqpdcc32.exe File created C:\Windows\SysWOW64\Iqkcelpl.dll Abaaoodq.exe File opened for modification C:\Windows\SysWOW64\Apnhggln.exe Agccbenc.exe File opened for modification C:\Windows\SysWOW64\Nfcdfiob.exe Nnhobgag.exe File created C:\Windows\SysWOW64\Oojooion.dll Anfggicl.exe File created C:\Windows\SysWOW64\Fpkjkkdg.dll Pkdihhag.exe File created C:\Windows\SysWOW64\Baipij32.dll Jghcbjll.exe File created C:\Windows\SysWOW64\Fhcjilcb.exe Flmidkmn.exe File created C:\Windows\SysWOW64\Felajbpg.exe Flclam32.exe File opened for modification C:\Windows\SysWOW64\Jmkmlk32.exe Jadlgjjq.exe File opened for modification C:\Windows\SysWOW64\Acnjnh32.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Ggicgopd.exe Gifclb32.exe File created C:\Windows\SysWOW64\Qcogbdkg.exe Pkcbnanl.exe File created C:\Windows\SysWOW64\Khadpa32.exe Kpfplo32.exe File created C:\Windows\SysWOW64\Mobaef32.exe Maoalb32.exe File created C:\Windows\SysWOW64\Jmlobg32.exe Jgjmoace.exe File created C:\Windows\SysWOW64\Hpmdelbi.dll Kgelahmn.exe File created C:\Windows\SysWOW64\Pficnc32.dll Edidcb32.exe File created C:\Windows\SysWOW64\Emagacdm.exe Eclbcj32.exe File created C:\Windows\SysWOW64\Kplfmfmf.exe Khpaidpk.exe File opened for modification C:\Windows\SysWOW64\Oajndh32.exe Lljpjchg.exe File created C:\Windows\SysWOW64\Dfcgbb32.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Fnoiocfj.exe Fbiijb32.exe File created C:\Windows\SysWOW64\Gccjpb32.exe Ggmjkapi.exe File opened for modification C:\Windows\SysWOW64\Baojapfj.exe Bkbaii32.exe File created C:\Windows\SysWOW64\Meffjjln.exe Mioeeifi.exe File created C:\Windows\SysWOW64\Dhgahphj.dll Fqfipj32.exe File opened for modification C:\Windows\SysWOW64\Pmdocf32.exe Pppnia32.exe File created C:\Windows\SysWOW64\Ihlbih32.exe Ilfadg32.exe File created C:\Windows\SysWOW64\Jdhlih32.exe Ilmgef32.exe File created C:\Windows\SysWOW64\Efaglp32.dll Ofnppgbh.exe File created C:\Windows\SysWOW64\Mejlalji.exe Mkaghg32.exe File created C:\Windows\SysWOW64\Adcdbl32.exe Qhjfgl32.exe File created C:\Windows\SysWOW64\Lgqkbb32.exe Lnhgim32.exe File created C:\Windows\SysWOW64\Fdqnkoep.exe Felajbpg.exe File created C:\Windows\SysWOW64\Glgcpc32.dll Bogjaamh.exe File created C:\Windows\SysWOW64\Heloek32.dll Cqdfehii.exe File opened for modification C:\Windows\SysWOW64\Jcikog32.exe Jnlbgq32.exe File created C:\Windows\SysWOW64\Pgodcich.exe Pnfpjc32.exe File opened for modification C:\Windows\SysWOW64\Oiljam32.exe Nfkapb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1732 3968 WerFault.exe 1035 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pblcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgajcccj.dll" Okhefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lonlkcho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbohh32.dll" Pqgbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiiaq32.dll" Oakaheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmkmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnebokc.dll" Kdnild32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gndebkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfcfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmighemp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojmbgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omphocck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Liboodmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gojkecka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjhhiqm.dll" Ldjmidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pabncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkfoiql.dll" Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeedad32.dll" Dlepjbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djcpqidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Famaimfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnkhfnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lilomj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmljkb32.dll" Ekjgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcfcjo32.dll" Ablmilgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjblcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jckgicnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfkilbo.dll" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phcleoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapgnji.dll" Ciepkajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfaljjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngciog32.dll" Pebpkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nghpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll" Qanolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggnqfgce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Folhio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneanl32.dll" Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjpll32.dll" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanhnka.dll" Npppaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgoneo32.dll" Pjjmonac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adffdidl.dll" Cjdkllec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoiil32.dll" Mfpmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpegp32.dll" Bneancnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigef32.dll" Liboodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okolfkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laeqgcbl.dll" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opppqdgk.dll" Felajbpg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2172 2320 3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2172 2320 3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2172 2320 3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2172 2320 3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe 28 PID 2172 wrote to memory of 3020 2172 Jhjphfgi.exe 29 PID 2172 wrote to memory of 3020 2172 Jhjphfgi.exe 29 PID 2172 wrote to memory of 3020 2172 Jhjphfgi.exe 29 PID 2172 wrote to memory of 3020 2172 Jhjphfgi.exe 29 PID 3020 wrote to memory of 1992 3020 Jaeafklf.exe 30 PID 3020 wrote to memory of 1992 3020 Jaeafklf.exe 30 PID 3020 wrote to memory of 1992 3020 Jaeafklf.exe 30 PID 3020 wrote to memory of 1992 3020 Jaeafklf.exe 30 PID 1992 wrote to memory of 2464 1992 Jckgicnp.exe 31 PID 1992 wrote to memory of 2464 1992 Jckgicnp.exe 31 PID 1992 wrote to memory of 2464 1992 Jckgicnp.exe 31 PID 1992 wrote to memory of 2464 1992 Jckgicnp.exe 31 PID 2464 wrote to memory of 2488 2464 Kjglkm32.exe 32 PID 2464 wrote to memory of 2488 2464 Kjglkm32.exe 32 PID 2464 wrote to memory of 2488 2464 Kjglkm32.exe 32 PID 2464 wrote to memory of 2488 2464 Kjglkm32.exe 32 PID 2488 wrote to memory of 2784 2488 Kpcqnf32.exe 33 PID 2488 wrote to memory of 2784 2488 Kpcqnf32.exe 33 PID 2488 wrote to memory of 2784 2488 Kpcqnf32.exe 33 PID 2488 wrote to memory of 2784 2488 Kpcqnf32.exe 33 PID 2784 wrote to memory of 2724 2784 Khoebi32.exe 34 PID 2784 wrote to memory of 2724 2784 Khoebi32.exe 34 PID 2784 wrote to memory of 2724 2784 Khoebi32.exe 34 PID 2784 wrote to memory of 2724 2784 Khoebi32.exe 34 PID 2724 wrote to memory of 2388 2724 Kkoncdcp.exe 35 PID 2724 wrote to memory of 2388 2724 Kkoncdcp.exe 35 PID 2724 wrote to memory of 2388 2724 Kkoncdcp.exe 35 PID 2724 wrote to memory of 2388 2724 Kkoncdcp.exe 35 PID 2388 wrote to memory of 2428 2388 Lnpgeopa.exe 36 PID 2388 wrote to memory of 2428 2388 Lnpgeopa.exe 36 PID 2388 wrote to memory of 2428 2388 Lnpgeopa.exe 36 PID 2388 wrote to memory of 2428 2388 Lnpgeopa.exe 36 PID 2428 wrote to memory of 640 2428 Lqcmmjko.exe 37 PID 2428 wrote to memory of 640 2428 Lqcmmjko.exe 37 PID 2428 wrote to memory of 640 2428 Lqcmmjko.exe 37 PID 2428 wrote to memory of 640 2428 Lqcmmjko.exe 37 PID 640 wrote to memory of 1664 640 Lfpeeqig.exe 38 PID 640 wrote to memory of 1664 640 Lfpeeqig.exe 38 PID 640 wrote to memory of 1664 640 Lfpeeqig.exe 38 PID 640 wrote to memory of 1664 640 Lfpeeqig.exe 38 PID 1664 wrote to memory of 2168 1664 Mkaghg32.exe 39 PID 1664 wrote to memory of 2168 1664 Mkaghg32.exe 39 PID 1664 wrote to memory of 2168 1664 Mkaghg32.exe 39 PID 1664 wrote to memory of 2168 1664 Mkaghg32.exe 39 PID 2168 wrote to memory of 1340 2168 Mejlalji.exe 40 PID 2168 wrote to memory of 1340 2168 Mejlalji.exe 40 PID 2168 wrote to memory of 1340 2168 Mejlalji.exe 40 PID 2168 wrote to memory of 1340 2168 Mejlalji.exe 40 PID 1340 wrote to memory of 2364 1340 Mbnljqic.exe 41 PID 1340 wrote to memory of 2364 1340 Mbnljqic.exe 41 PID 1340 wrote to memory of 2364 1340 Mbnljqic.exe 41 PID 1340 wrote to memory of 2364 1340 Mbnljqic.exe 41 PID 2364 wrote to memory of 3032 2364 Mlkjne32.exe 42 PID 2364 wrote to memory of 3032 2364 Mlkjne32.exe 42 PID 2364 wrote to memory of 3032 2364 Mlkjne32.exe 42 PID 2364 wrote to memory of 3032 2364 Mlkjne32.exe 42 PID 3032 wrote to memory of 2572 3032 Ncfoch32.exe 43 PID 3032 wrote to memory of 2572 3032 Ncfoch32.exe 43 PID 3032 wrote to memory of 2572 3032 Ncfoch32.exe 43 PID 3032 wrote to memory of 2572 3032 Ncfoch32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3ca6ed87a23f31ae7cf680d9aefa6740_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe33⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe34⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe36⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe37⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe38⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe39⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe40⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe41⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe42⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe43⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe44⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe46⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe47⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe48⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe49⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe50⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe51⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe53⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe54⤵PID:1616
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe55⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe57⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe58⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe59⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe60⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe61⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe62⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe63⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe64⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe65⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe66⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe68⤵PID:2444
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe69⤵PID:1380
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe70⤵PID:828
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe71⤵PID:596
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe72⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe73⤵PID:1796
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe74⤵PID:904
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe75⤵PID:2920
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe76⤵PID:1456
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe77⤵PID:1096
-
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe78⤵PID:1988
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe79⤵PID:2120
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe80⤵PID:1900
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe81⤵PID:2536
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe82⤵PID:460
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe83⤵PID:2420
-
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe84⤵PID:760
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe85⤵PID:1436
-
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe86⤵PID:1632
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe87⤵PID:1384
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe88⤵PID:336
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe89⤵PID:1976
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe90⤵PID:2868
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe91⤵PID:272
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe92⤵PID:2744
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe93⤵PID:2480
-
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe95⤵PID:2148
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe97⤵PID:2892
-
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe98⤵PID:1704
-
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe99⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe100⤵PID:2564
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe101⤵PID:1604
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe102⤵PID:2056
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe103⤵PID:1516
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe104⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe105⤵PID:2712
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe106⤵PID:944
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe107⤵PID:2476
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe108⤵PID:1108
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe109⤵PID:1784
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe110⤵PID:2936
-
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe111⤵PID:2424
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe112⤵PID:2280
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe113⤵PID:1648
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe115⤵PID:2596
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe116⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe117⤵PID:2552
-
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe118⤵PID:2672
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe119⤵PID:1532
-
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe120⤵PID:2340
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe121⤵PID:1060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-