Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 10:02
Behavioral task
behavioral1
Sample
e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe
-
Size
227KB
-
MD5
e369abd8783bcaa9461b771be4f32510
-
SHA1
d65a86326c28fce430e7fa2c9019918b4b957933
-
SHA256
ec991adaae3493953969e23dee01a5e055c3d89b41a853650f395209f45c4767
-
SHA512
087c497e79e6b40e69cb2551f5e2081757aadf0a1fd374d95fa6dfc3c99a8166668c40c384b40d39c6760b67ba5331f1d1ee75ed2a147fda43f0033c32cd01e9
-
SSDEEP
3072:t+Ds0MuIqcXlnE3YA7reyjpwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:EDJrcV+7y9m7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kleeqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkblohek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdplmflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olokighn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noifmmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jemiiqmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peapmhnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgnpmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqiingf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behinlkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggdfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifcbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbmpnjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqanke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdcejph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaaalep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqokgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljeabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddliklgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjieace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danaqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmphpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dofnnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdhdlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebiifka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdpnqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghghnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmqigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laogfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eganqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmnakege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnofng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnqjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabajc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmfmkjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcaehhnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blobmm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000016d24-5.dat family_berbew behavioral1/files/0x0007000000017090-19.dat family_berbew behavioral1/files/0x000500000001868c-33.dat family_berbew behavioral1/files/0x00050000000186a0-46.dat family_berbew behavioral1/files/0x0006000000018ae8-60.dat family_berbew behavioral1/files/0x0006000000018b33-79.dat family_berbew behavioral1/files/0x0006000000018b42-87.dat family_berbew behavioral1/files/0x0006000000018b6a-105.dat family_berbew behavioral1/files/0x0007000000016d89-134.dat family_berbew behavioral1/files/0x00050000000192c9-153.dat family_berbew behavioral1/files/0x000500000001931b-173.dat family_berbew behavioral1/files/0x0005000000019368-181.dat family_berbew behavioral1/files/0x000500000001939b-204.dat family_berbew behavioral1/files/0x0005000000019410-216.dat family_berbew behavioral1/files/0x000500000001946f-224.dat family_berbew behavioral1/files/0x0005000000019485-241.dat family_berbew behavioral1/files/0x00040000000194d6-256.dat family_berbew behavioral1/files/0x00040000000194dc-265.dat family_berbew behavioral1/files/0x00050000000194ef-287.dat family_berbew behavioral1/files/0x0005000000019521-308.dat family_berbew behavioral1/files/0x000500000001959e-332.dat family_berbew behavioral1/files/0x00050000000195a4-344.dat family_berbew behavioral1/files/0x00050000000195ba-373.dat family_berbew behavioral1/files/0x00050000000195a9-364.dat family_berbew behavioral1/files/0x000500000001996e-396.dat family_berbew behavioral1/files/0x0005000000019bd7-409.dat family_berbew behavioral1/files/0x0005000000019bef-420.dat family_berbew behavioral1/files/0x0005000000019ce6-434.dat family_berbew behavioral1/files/0x0005000000019d59-444.dat family_berbew behavioral1/files/0x000500000001a013-466.dat family_berbew behavioral1/files/0x000500000001a2d0-478.dat family_berbew behavioral1/files/0x0005000000019f60-453.dat family_berbew behavioral1/files/0x000500000001a3c2-492.dat family_berbew behavioral1/files/0x000500000001a3c8-502.dat family_berbew behavioral1/files/0x000500000001a3d4-518.dat family_berbew behavioral1/files/0x000500000001a431-541.dat family_berbew behavioral1/files/0x000500000001a429-532.dat family_berbew behavioral1/files/0x000500000001a443-562.dat family_berbew behavioral1/files/0x000500000001a447-575.dat family_berbew behavioral1/files/0x000500000001a44b-582.dat family_berbew behavioral1/files/0x000500000001a453-609.dat family_berbew behavioral1/files/0x000500000001a45b-628.dat family_berbew behavioral1/files/0x000500000001a45f-639.dat family_berbew behavioral1/files/0x000500000001a463-649.dat family_berbew behavioral1/files/0x000500000001a467-660.dat family_berbew behavioral1/files/0x000500000001a46c-671.dat family_berbew behavioral1/files/0x000500000001a470-681.dat family_berbew behavioral1/files/0x000500000001a479-705.dat family_berbew behavioral1/files/0x000500000001a47d-713.dat family_berbew behavioral1/files/0x000500000001a484-721.dat family_berbew behavioral1/files/0x000500000001a474-692.dat family_berbew behavioral1/files/0x000500000001a489-733.dat family_berbew behavioral1/files/0x000500000001a543-748.dat family_berbew behavioral1/files/0x000500000001ad1c-758.dat family_berbew behavioral1/files/0x000500000001c288-768.dat family_berbew behavioral1/files/0x000500000001c6d5-778.dat family_berbew behavioral1/files/0x000500000001a457-620.dat family_berbew behavioral1/files/0x000500000001a44f-599.dat family_berbew behavioral1/files/0x000500000001c71e-788.dat family_berbew behavioral1/files/0x000500000001c78b-796.dat family_berbew behavioral1/files/0x000500000001c82d-810.dat family_berbew behavioral1/files/0x000500000001a43b-554.dat family_berbew behavioral1/files/0x000500000001c832-821.dat family_berbew behavioral1/files/0x0005000000019646-386.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2040 Padccpal.exe 1296 Plpqim32.exe 1668 Pfeeff32.exe 2244 Qnqjkh32.exe 2016 Qifnhaho.exe 464 Qdpohodn.exe 1752 Aadobccg.exe 1100 Ajldkhjh.exe 2456 Ahpddmia.exe 2600 Adiaommc.exe 2692 Aocbokia.exe 2436 Bhndnpnp.exe 2936 Bknmok32.exe 3004 Bdinnqon.exe 1524 Boobki32.exe 916 Cpbkhabp.exe 796 Cpdhna32.exe 632 Cfcmlg32.exe 2060 Ccgnelll.exe 2064 Dhdfmbjc.exe 1572 Dkeoongd.exe 1764 Dochelmj.exe 2080 Dhklna32.exe 1820 Dnhefh32.exe 2360 Dgqion32.exe 1976 Ecgjdong.exe 876 Ecjgio32.exe 524 Embkbdce.exe 1620 Ecnpdnho.exe 1540 Egpena32.exe 2468 Fbfjkj32.exe 1136 Fbhfajia.exe 2616 Fhglop32.exe 2412 Fpemhb32.exe 2460 Gfoeel32.exe 2684 Ghghnc32.exe 3016 Gdnibdmf.exe 2452 Hmfmkjdf.exe 1688 Hdpehd32.exe 2588 Hofjem32.exe 980 Hhnnnbaj.exe 1660 Hafbghhj.exe 2120 Hkogpn32.exe 1528 Hlpchfdi.exe 1352 Hgfheodo.exe 1580 Hlbpme32.exe 2740 Hekefkig.exe 2168 Ipqicdim.exe 2184 Ihlnhffh.exe 1204 Iadbqlmh.exe 612 Idbnmgll.exe 872 Iohbjpkb.exe 1740 Igcgnbim.exe 2408 Ibillk32.exe 956 Ijdppm32.exe 704 Jcleiclo.exe 1816 Jnbifl32.exe 2932 Jgjmoace.exe 1560 Jmgfgham.exe 1520 Jinfli32.exe 1892 Jbfkeo32.exe 560 Jkopndcb.exe 1432 Jegdgj32.exe 1812 Kolhdbjh.exe -
Loads dropped DLL 64 IoCs
pid Process 2228 e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe 2228 e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe 2040 Padccpal.exe 2040 Padccpal.exe 1296 Plpqim32.exe 1296 Plpqim32.exe 1668 Pfeeff32.exe 1668 Pfeeff32.exe 2244 Qnqjkh32.exe 2244 Qnqjkh32.exe 2016 Qifnhaho.exe 2016 Qifnhaho.exe 464 Qdpohodn.exe 464 Qdpohodn.exe 1752 Aadobccg.exe 1752 Aadobccg.exe 1100 Ajldkhjh.exe 1100 Ajldkhjh.exe 2456 Ahpddmia.exe 2456 Ahpddmia.exe 2600 Adiaommc.exe 2600 Adiaommc.exe 2692 Aocbokia.exe 2692 Aocbokia.exe 2436 Bhndnpnp.exe 2436 Bhndnpnp.exe 2936 Bknmok32.exe 2936 Bknmok32.exe 3004 Bdinnqon.exe 3004 Bdinnqon.exe 1524 Boobki32.exe 1524 Boobki32.exe 916 Cpbkhabp.exe 916 Cpbkhabp.exe 796 Cpdhna32.exe 796 Cpdhna32.exe 632 Cfcmlg32.exe 632 Cfcmlg32.exe 2060 Ccgnelll.exe 2060 Ccgnelll.exe 2064 Dhdfmbjc.exe 2064 Dhdfmbjc.exe 1572 Dkeoongd.exe 1572 Dkeoongd.exe 1764 Dochelmj.exe 1764 Dochelmj.exe 2080 Dhklna32.exe 2080 Dhklna32.exe 1820 Dnhefh32.exe 1820 Dnhefh32.exe 2360 Dgqion32.exe 2360 Dgqion32.exe 1976 Ecgjdong.exe 1976 Ecgjdong.exe 876 Ecjgio32.exe 876 Ecjgio32.exe 524 Embkbdce.exe 524 Embkbdce.exe 1620 Ecnpdnho.exe 1620 Ecnpdnho.exe 1540 Egpena32.exe 1540 Egpena32.exe 2468 Fbfjkj32.exe 2468 Fbfjkj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dgqion32.exe Dnhefh32.exe File opened for modification C:\Windows\SysWOW64\Lkcgapjl.exe Lbkchj32.exe File opened for modification C:\Windows\SysWOW64\Ffcbce32.exe Fpijgk32.exe File created C:\Windows\SysWOW64\Nhabgpel.dll Bmhmgbif.exe File created C:\Windows\SysWOW64\Qamleagn.exe Qkcdigpa.exe File created C:\Windows\SysWOW64\Hgmoqm32.dll Hagepa32.exe File created C:\Windows\SysWOW64\Bcopkn32.exe Bbocak32.exe File created C:\Windows\SysWOW64\Anmbje32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Facahjoh.dll Gabofn32.exe File created C:\Windows\SysWOW64\Fdhidgbq.dll Joaebkni.exe File created C:\Windows\SysWOW64\Npieoi32.exe Necqbp32.exe File opened for modification C:\Windows\SysWOW64\Dfjaej32.exe Dmalmdcg.exe File opened for modification C:\Windows\SysWOW64\Gegbpe32.exe Gkancm32.exe File opened for modification C:\Windows\SysWOW64\Eeffpn32.exe Epinhg32.exe File created C:\Windows\SysWOW64\Jjgbbc32.exe Process not Found File created C:\Windows\SysWOW64\Ihjcko32.exe Ifhgcgjq.exe File created C:\Windows\SysWOW64\Nejbpm32.dll Akmgoehg.exe File created C:\Windows\SysWOW64\Pgpdjb32.dll Degqka32.exe File opened for modification C:\Windows\SysWOW64\Bpfhfjgq.exe Bkjpncii.exe File created C:\Windows\SysWOW64\Hmfmkjdf.exe Gdnibdmf.exe File created C:\Windows\SysWOW64\Ipkema32.exe Hdkaabnh.exe File opened for modification C:\Windows\SysWOW64\Chickknc.exe Cclkcdpl.exe File opened for modification C:\Windows\SysWOW64\Ldjmkq32.exe Lmpdoffo.exe File opened for modification C:\Windows\SysWOW64\Bhdpjaga.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jegdgj32.exe Jkopndcb.exe File created C:\Windows\SysWOW64\Cakfcfoc.exe Bnkmakbb.exe File created C:\Windows\SysWOW64\Bnkmakbb.exe Bebiifka.exe File created C:\Windows\SysWOW64\Encjfc32.dll Jecnpg32.exe File created C:\Windows\SysWOW64\Omfjkg32.dll Process not Found File created C:\Windows\SysWOW64\Ipbgci32.exe Process not Found File created C:\Windows\SysWOW64\Hmockkok.dll Ipgpcc32.exe File created C:\Windows\SysWOW64\Ppejmj32.exe Pikaqppk.exe File created C:\Windows\SysWOW64\Lidilk32.exe Lmnhgjmp.exe File opened for modification C:\Windows\SysWOW64\Ohjmlaci.exe Oaqeogll.exe File created C:\Windows\SysWOW64\Cjngej32.exe Ccdnipal.exe File created C:\Windows\SysWOW64\Gjcekj32.exe Glpdbfek.exe File created C:\Windows\SysWOW64\Gkemcm32.dll Jnaihhgf.exe File opened for modification C:\Windows\SysWOW64\Hlbpme32.exe Hgfheodo.exe File opened for modification C:\Windows\SysWOW64\Aadakl32.exe Qqbeel32.exe File created C:\Windows\SysWOW64\Idmciiok.dll Ilmool32.exe File opened for modification C:\Windows\SysWOW64\Cfmceomm.exe Chickknc.exe File created C:\Windows\SysWOW64\Okhjcncb.dll Gnabcf32.exe File created C:\Windows\SysWOW64\Dnjqcn32.dll Ipkgejcf.exe File opened for modification C:\Windows\SysWOW64\Fpkdca32.exe Fefpfi32.exe File opened for modification C:\Windows\SysWOW64\Fcdele32.exe Ekipgb32.exe File opened for modification C:\Windows\SysWOW64\Hpbhphie.exe Gfjcgc32.exe File created C:\Windows\SysWOW64\Kaehnfoi.dll Nhngem32.exe File created C:\Windows\SysWOW64\Lcieef32.exe Lnlmmo32.exe File created C:\Windows\SysWOW64\Nffhad32.dll Plheil32.exe File created C:\Windows\SysWOW64\Lecjaf32.dll Ccdnipal.exe File opened for modification C:\Windows\SysWOW64\Jnlepioj.exe Jqhdfe32.exe File created C:\Windows\SysWOW64\Bleppqce.dll Dpofpg32.exe File created C:\Windows\SysWOW64\Pfgcff32.exe Omonmpcm.exe File created C:\Windows\SysWOW64\Hnomkloi.exe Hqkmahpp.exe File opened for modification C:\Windows\SysWOW64\Eeameodq.exe Dmfhqmge.exe File created C:\Windows\SysWOW64\Lmpdoffo.exe Lhclfphg.exe File created C:\Windows\SysWOW64\Nhmdoq32.exe Process not Found File created C:\Windows\SysWOW64\Njldiiel.dll Lmnhgjmp.exe File created C:\Windows\SysWOW64\Jhdpfo32.dll Iljifm32.exe File created C:\Windows\SysWOW64\Lijepc32.exe Lkfdfo32.exe File opened for modification C:\Windows\SysWOW64\Agcekn32.exe Adbmjbif.exe File created C:\Windows\SysWOW64\Pojgnf32.exe Pinnfonh.exe File created C:\Windows\SysWOW64\Epakcm32.exe Eigbfb32.exe File opened for modification C:\Windows\SysWOW64\Acadchoo.exe Ailqfooi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogoicfml.dll" Kimlqfeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cilbhdoi.dll" Kbcfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfjkg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll" Pchdfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ophanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhmfgdch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjllicj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aodqok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bemfjgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgjhe32.dll" Gamkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acoacabb.dll" Ldfgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecipl32.dll" Emdgjpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joqdfghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjqaegh.dll" Eipekmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqncib32.dll" Ibillk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfdeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdfqh32.dll" Lcneklck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmdpcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnafjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomagi32.dll" Aadakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpofpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pblinp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieiegcc.dll" Akjfhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmkebdg.dll" Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icqieocn.dll" Jaolad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbgnil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdlmlidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoioja.dll" Jemiiqmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbcfc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiplp32.dll" Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acbglq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpaoojjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fabppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojgie32.dll" Dclgbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbeio32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbocak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgjmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfdjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnmpd32.dll" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqffpm32.dll" Mbobgfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llooad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jommmbhn.dll" Ocpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apbblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coehnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagbmg32.dll" Afbpnlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpggcbki.dll" Eehqme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bofbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcaghm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjeholco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2040 2228 e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe 30 PID 2228 wrote to memory of 2040 2228 e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe 30 PID 2228 wrote to memory of 2040 2228 e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe 30 PID 2228 wrote to memory of 2040 2228 e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe 30 PID 2040 wrote to memory of 1296 2040 Padccpal.exe 31 PID 2040 wrote to memory of 1296 2040 Padccpal.exe 31 PID 2040 wrote to memory of 1296 2040 Padccpal.exe 31 PID 2040 wrote to memory of 1296 2040 Padccpal.exe 31 PID 1296 wrote to memory of 1668 1296 Plpqim32.exe 32 PID 1296 wrote to memory of 1668 1296 Plpqim32.exe 32 PID 1296 wrote to memory of 1668 1296 Plpqim32.exe 32 PID 1296 wrote to memory of 1668 1296 Plpqim32.exe 32 PID 1668 wrote to memory of 2244 1668 Pfeeff32.exe 33 PID 1668 wrote to memory of 2244 1668 Pfeeff32.exe 33 PID 1668 wrote to memory of 2244 1668 Pfeeff32.exe 33 PID 1668 wrote to memory of 2244 1668 Pfeeff32.exe 33 PID 2244 wrote to memory of 2016 2244 Qnqjkh32.exe 34 PID 2244 wrote to memory of 2016 2244 Qnqjkh32.exe 34 PID 2244 wrote to memory of 2016 2244 Qnqjkh32.exe 34 PID 2244 wrote to memory of 2016 2244 Qnqjkh32.exe 34 PID 2016 wrote to memory of 464 2016 Qifnhaho.exe 35 PID 2016 wrote to memory of 464 2016 Qifnhaho.exe 35 PID 2016 wrote to memory of 464 2016 Qifnhaho.exe 35 PID 2016 wrote to memory of 464 2016 Qifnhaho.exe 35 PID 464 wrote to memory of 1752 464 Qdpohodn.exe 36 PID 464 wrote to memory of 1752 464 Qdpohodn.exe 36 PID 464 wrote to memory of 1752 464 Qdpohodn.exe 36 PID 464 wrote to memory of 1752 464 Qdpohodn.exe 36 PID 1752 wrote to memory of 1100 1752 Aadobccg.exe 37 PID 1752 wrote to memory of 1100 1752 Aadobccg.exe 37 PID 1752 wrote to memory of 1100 1752 Aadobccg.exe 37 PID 1752 wrote to memory of 1100 1752 Aadobccg.exe 37 PID 1100 wrote to memory of 2456 1100 Ajldkhjh.exe 38 PID 1100 wrote to memory of 2456 1100 Ajldkhjh.exe 38 PID 1100 wrote to memory of 2456 1100 Ajldkhjh.exe 38 PID 1100 wrote to memory of 2456 1100 Ajldkhjh.exe 38 PID 2456 wrote to memory of 2600 2456 Ahpddmia.exe 39 PID 2456 wrote to memory of 2600 2456 Ahpddmia.exe 39 PID 2456 wrote to memory of 2600 2456 Ahpddmia.exe 39 PID 2456 wrote to memory of 2600 2456 Ahpddmia.exe 39 PID 2600 wrote to memory of 2692 2600 Adiaommc.exe 40 PID 2600 wrote to memory of 2692 2600 Adiaommc.exe 40 PID 2600 wrote to memory of 2692 2600 Adiaommc.exe 40 PID 2600 wrote to memory of 2692 2600 Adiaommc.exe 40 PID 2692 wrote to memory of 2436 2692 Aocbokia.exe 41 PID 2692 wrote to memory of 2436 2692 Aocbokia.exe 41 PID 2692 wrote to memory of 2436 2692 Aocbokia.exe 41 PID 2692 wrote to memory of 2436 2692 Aocbokia.exe 41 PID 2436 wrote to memory of 2936 2436 Bhndnpnp.exe 42 PID 2436 wrote to memory of 2936 2436 Bhndnpnp.exe 42 PID 2436 wrote to memory of 2936 2436 Bhndnpnp.exe 42 PID 2436 wrote to memory of 2936 2436 Bhndnpnp.exe 42 PID 2936 wrote to memory of 3004 2936 Bknmok32.exe 43 PID 2936 wrote to memory of 3004 2936 Bknmok32.exe 43 PID 2936 wrote to memory of 3004 2936 Bknmok32.exe 43 PID 2936 wrote to memory of 3004 2936 Bknmok32.exe 43 PID 3004 wrote to memory of 1524 3004 Bdinnqon.exe 44 PID 3004 wrote to memory of 1524 3004 Bdinnqon.exe 44 PID 3004 wrote to memory of 1524 3004 Bdinnqon.exe 44 PID 3004 wrote to memory of 1524 3004 Bdinnqon.exe 44 PID 1524 wrote to memory of 916 1524 Boobki32.exe 45 PID 1524 wrote to memory of 916 1524 Boobki32.exe 45 PID 1524 wrote to memory of 916 1524 Boobki32.exe 45 PID 1524 wrote to memory of 916 1524 Boobki32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e369abd8783bcaa9461b771be4f32510_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Bknmok32.exeC:\Windows\system32\Bknmok32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe33⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe34⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe35⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe36⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe40⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe41⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe42⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe43⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe44⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe45⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe48⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe49⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe50⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe51⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Idbnmgll.exeC:\Windows\system32\Idbnmgll.exe52⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe53⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe54⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe56⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe57⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe58⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe59⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe60⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe61⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe62⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe64⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe65⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe66⤵PID:1732
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe67⤵PID:1840
-
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe68⤵PID:2128
-
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe69⤵PID:1040
-
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe70⤵PID:1252
-
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe71⤵PID:2028
-
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe72⤵PID:1060
-
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe73⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe74⤵PID:948
-
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe75⤵PID:1500
-
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe76⤵PID:2908
-
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe77⤵PID:2676
-
C:\Windows\SysWOW64\Lilomj32.exeC:\Windows\system32\Lilomj32.exe78⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe79⤵PID:2476
-
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe80⤵PID:2572
-
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe81⤵PID:2980
-
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe82⤵PID:2900
-
C:\Windows\SysWOW64\Mpqjmh32.exeC:\Windows\system32\Mpqjmh32.exe83⤵PID:548
-
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe84⤵PID:2504
-
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe85⤵PID:2492
-
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe86⤵PID:3024
-
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe87⤵PID:892
-
C:\Windows\SysWOW64\Nokqidll.exeC:\Windows\system32\Nokqidll.exe88⤵PID:1704
-
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe89⤵PID:516
-
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe90⤵PID:1584
-
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe91⤵PID:2008
-
C:\Windows\SysWOW64\Ndlbmk32.exeC:\Windows\system32\Ndlbmk32.exe92⤵PID:944
-
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe93⤵PID:2804
-
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe94⤵PID:1772
-
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe96⤵PID:1152
-
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe97⤵PID:2988
-
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe98⤵PID:3008
-
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe99⤵PID:2416
-
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe100⤵PID:2836
-
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe101⤵PID:1292
-
C:\Windows\SysWOW64\Pjpmdd32.exeC:\Windows\system32\Pjpmdd32.exe102⤵PID:1936
-
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe103⤵PID:2268
-
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe104⤵PID:1388
-
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe105⤵PID:772
-
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe106⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe107⤵PID:3060
-
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe108⤵PID:2428
-
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe109⤵
- Drops file in System32 directory
PID:656 -
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe110⤵PID:2668
-
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe111⤵PID:1872
-
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe112⤵PID:2568
-
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe113⤵PID:768
-
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Bdaabk32.exeC:\Windows\system32\Bdaabk32.exe115⤵PID:1724
-
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe116⤵PID:2124
-
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe117⤵PID:2264
-
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe119⤵PID:1960
-
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe120⤵PID:2276
-
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe121⤵PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-