Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 02:41
Behavioral task
behavioral1
Sample
275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe
-
Size
94KB
-
MD5
275b0c35ca131cfb165b0d988003f600
-
SHA1
f6239aed396ec7814e4ff28a0a428e87577bf0d9
-
SHA256
1c5b95fe5eb92f7debe13611ce05f79f73c32ae00f4339b658dc68b7bcb0b57c
-
SHA512
601064c9586a70d3eb3c76c02d91efcda131e0748d45a2abb8d75e6ec3f417c5be5698ddd790896948d17fd3caba76d8268744ae8f68c36fd2971811003a095f
-
SSDEEP
1536:X5AWbqKZGtltu/M0jTT6yfhsa0sI1Qp2LfaIZTJ+7LhkiB0MPiKeEAgv:XmWbqaGtPgTjTQBsI11faMU7uihJ5v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fenmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifhnpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmikibio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaileio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmffhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpndnei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moidahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipllekdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaiqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplmop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohkfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djklnnaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbbbffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjakmc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001226d-5.dat family_berbew behavioral1/files/0x000d000000014b3f-20.dat family_berbew behavioral1/files/0x000700000001538e-33.dat family_berbew behavioral1/files/0x000700000001542b-46.dat family_berbew behavioral1/files/0x0008000000015679-65.dat family_berbew behavioral1/files/0x0006000000015d42-72.dat family_berbew behavioral1/files/0x0006000000015d97-86.dat family_berbew behavioral1/memory/2700-93-0x00000000002D0000-0x000000000030C000-memory.dmp family_berbew behavioral1/files/0x0006000000015f54-110.dat family_berbew behavioral1/files/0x00060000000160f3-117.dat family_berbew behavioral1/files/0x00060000000162cc-133.dat family_berbew behavioral1/files/0x0006000000016572-146.dat family_berbew behavioral1/files/0x0006000000016824-161.dat family_berbew behavioral1/files/0x0006000000016c4a-175.dat family_berbew behavioral1/memory/1720-183-0x0000000000250000-0x000000000028C000-memory.dmp family_berbew behavioral1/files/0x0006000000016c67-191.dat family_berbew behavioral1/files/0x0006000000016cde-214.dat family_berbew behavioral1/files/0x00350000000149d0-222.dat family_berbew behavioral1/files/0x0006000000016d22-238.dat family_berbew behavioral1/files/0x0006000000016d33-247.dat family_berbew behavioral1/files/0x0006000000016d44-259.dat family_berbew behavioral1/files/0x0006000000016d55-272.dat family_berbew behavioral1/files/0x0006000000016d6c-279.dat family_berbew behavioral1/files/0x0006000000016d78-291.dat family_berbew behavioral1/files/0x0006000000016db2-302.dat family_berbew behavioral1/memory/2104-306-0x0000000000250000-0x000000000028C000-memory.dmp family_berbew behavioral1/memory/1736-305-0x0000000000250000-0x000000000028C000-memory.dmp family_berbew behavioral1/files/0x0006000000016dd1-315.dat family_berbew behavioral1/memory/1072-322-0x0000000000250000-0x000000000028C000-memory.dmp family_berbew behavioral1/files/0x000600000001720f-324.dat family_berbew behavioral1/files/0x00060000000173d3-338.dat family_berbew behavioral1/files/0x0006000000017568-348.dat family_berbew behavioral1/files/0x00050000000186ff-360.dat family_berbew behavioral1/files/0x000500000001870d-367.dat family_berbew behavioral1/files/0x000500000001873a-380.dat family_berbew behavioral1/files/0x000500000001878b-392.dat family_berbew behavioral1/files/0x0006000000018b73-403.dat family_berbew behavioral1/files/0x0006000000018bda-411.dat family_berbew behavioral1/files/0x0005000000019296-422.dat family_berbew behavioral1/files/0x00050000000193c5-430.dat family_berbew behavioral1/files/0x00050000000193ee-449.dat family_berbew behavioral1/files/0x000500000001941d-458.dat family_berbew behavioral1/files/0x000500000001945f-468.dat family_berbew behavioral1/files/0x000500000001949f-477.dat family_berbew behavioral1/files/0x0005000000019520-488.dat family_berbew behavioral1/files/0x000500000001961a-499.dat family_berbew behavioral1/files/0x000500000001961e-509.dat family_berbew behavioral1/files/0x0005000000019622-523.dat family_berbew behavioral1/files/0x0005000000019625-529.dat family_berbew behavioral1/files/0x0005000000019628-551.dat family_berbew behavioral1/files/0x000500000001962c-562.dat family_berbew behavioral1/files/0x0005000000019630-572.dat family_berbew behavioral1/files/0x0005000000019634-586.dat family_berbew behavioral1/files/0x00050000000196b9-595.dat family_berbew behavioral1/files/0x00050000000196be-607.dat family_berbew behavioral1/files/0x0005000000019707-618.dat family_berbew behavioral1/files/0x0005000000019848-628.dat family_berbew behavioral1/files/0x000500000001990e-636.dat family_berbew behavioral1/files/0x0005000000019aee-649.dat family_berbew behavioral1/files/0x0005000000019c68-656.dat family_berbew behavioral1/files/0x0005000000019d5f-666.dat family_berbew behavioral1/files/0x0005000000019dd1-675.dat family_berbew behavioral1/files/0x0005000000019f2d-685.dat family_berbew behavioral1/files/0x000500000001a056-696.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2056 Jgidao32.exe 2604 Kihqkagp.exe 2812 Kjjmbj32.exe 2276 Keoapb32.exe 2848 Kgnnln32.exe 2700 Keanebkb.exe 2976 Kjnfniii.exe 1852 Kgbggnhc.exe 2764 Kaklpcoc.exe 1948 Kifpdelo.exe 2228 Lldlqakb.exe 1720 Lemaif32.exe 572 Llfifq32.exe 2860 Leonofpp.exe 2880 Lliflp32.exe 2104 Lojomkdn.exe 576 Lecgje32.exe 1836 Llnofpcg.exe 2336 Lollckbk.exe 1524 Mggpgmof.exe 1768 Mkclhl32.exe 1736 Mhgmapfi.exe 1072 Mgimmm32.exe 2952 Mmceigep.exe 2908 Mgljbm32.exe 2656 Mkgfckcj.exe 2824 Mgnfhlin.exe 1900 Mcegmm32.exe 2804 Mgqcmlgl.exe 2516 Miooigfo.exe 1796 Ncgdbmmp.exe 1044 Nlphkb32.exe 2800 Nkbhgojk.exe 2400 Ndkmpe32.exe 1920 Nlbeqb32.exe 844 Nglfapnl.exe 1716 Nnennj32.exe 1080 Npdjje32.exe 328 Nhkbkc32.exe 2316 Njlockkm.exe 2608 Nnhkcj32.exe 2928 Npfgpe32.exe 1316 Ndbcpd32.exe 1960 Nceclqan.exe 1656 Oklkmnbp.exe 980 Oqideepg.exe 1568 Ocgpappk.exe 2948 Ofelmloo.exe 2192 Onmdoioa.exe 2640 Oqkqkdne.exe 2664 Ocimgp32.exe 2752 Ogeigofa.exe 2712 Ofhick32.exe 2584 Ojcecjee.exe 1876 Ombapedi.exe 2756 Obojhlbq.exe 2416 Ofjfhk32.exe 1684 Ojfaijcc.exe 2408 Omdneebf.exe 552 Ocnfbo32.exe 2204 Obafnlpn.exe 1844 Oikojfgk.exe 2600 Okikfagn.exe 2256 Ooeggp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe 1688 275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe 2056 Jgidao32.exe 2056 Jgidao32.exe 2604 Kihqkagp.exe 2604 Kihqkagp.exe 2812 Kjjmbj32.exe 2812 Kjjmbj32.exe 2276 Keoapb32.exe 2276 Keoapb32.exe 2848 Kgnnln32.exe 2848 Kgnnln32.exe 2700 Keanebkb.exe 2700 Keanebkb.exe 2976 Kjnfniii.exe 2976 Kjnfniii.exe 1852 Kgbggnhc.exe 1852 Kgbggnhc.exe 2764 Kaklpcoc.exe 2764 Kaklpcoc.exe 1948 Kifpdelo.exe 1948 Kifpdelo.exe 2228 Lldlqakb.exe 2228 Lldlqakb.exe 1720 Lemaif32.exe 1720 Lemaif32.exe 572 Llfifq32.exe 572 Llfifq32.exe 2860 Leonofpp.exe 2860 Leonofpp.exe 2880 Lliflp32.exe 2880 Lliflp32.exe 2104 Lojomkdn.exe 2104 Lojomkdn.exe 576 Lecgje32.exe 576 Lecgje32.exe 1836 Llnofpcg.exe 1836 Llnofpcg.exe 2336 Lollckbk.exe 2336 Lollckbk.exe 1524 Mggpgmof.exe 1524 Mggpgmof.exe 1768 Mkclhl32.exe 1768 Mkclhl32.exe 1736 Mhgmapfi.exe 1736 Mhgmapfi.exe 1072 Mgimmm32.exe 1072 Mgimmm32.exe 2952 Mmceigep.exe 2952 Mmceigep.exe 2908 Mgljbm32.exe 2908 Mgljbm32.exe 2656 Mkgfckcj.exe 2656 Mkgfckcj.exe 2824 Mgnfhlin.exe 2824 Mgnfhlin.exe 1900 Mcegmm32.exe 1900 Mcegmm32.exe 2804 Mgqcmlgl.exe 2804 Mgqcmlgl.exe 2516 Miooigfo.exe 2516 Miooigfo.exe 1796 Ncgdbmmp.exe 1796 Ncgdbmmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dookgcij.exe File created C:\Windows\SysWOW64\Fkcpip32.dll Fmbhok32.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Lbfdaigg.exe Lccdel32.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nlekia32.exe File created C:\Windows\SysWOW64\Lhghcb32.dll Fcefji32.exe File created C:\Windows\SysWOW64\Lcoich32.dll Nnhkcj32.exe File created C:\Windows\SysWOW64\Qcjfoqkg.dll Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Gdjpeifj.exe Gakcimgf.exe File created C:\Windows\SysWOW64\Icjhagdp.exe Ioolqh32.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kaklpcoc.exe File created C:\Windows\SysWOW64\Nnplna32.dll Keoapb32.exe File created C:\Windows\SysWOW64\Okhklfnh.dll Llnofpcg.exe File created C:\Windows\SysWOW64\Qfokbnip.exe Qpecfc32.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Fiihdlpc.exe Fenmdm32.exe File opened for modification C:\Windows\SysWOW64\Hmdmcanc.exe Hkfagfop.exe File created C:\Windows\SysWOW64\Cjgheann.dll Ilncom32.exe File created C:\Windows\SysWOW64\Jgidao32.exe 275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File created C:\Windows\SysWOW64\Jicdaj32.dll Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Kocbkk32.exe Kmefooki.exe File created C:\Windows\SysWOW64\Almjnp32.dll Mooaljkh.exe File created C:\Windows\SysWOW64\Mholen32.exe Meppiblm.exe File created C:\Windows\SysWOW64\Idnhde32.dll Qabcjgkh.exe File opened for modification C:\Windows\SysWOW64\Kicmdo32.exe Kegqdqbl.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kjjmbj32.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Fbopgb32.exe Fpqdkf32.exe File created C:\Windows\SysWOW64\Fpcqjacl.dll Kconkibf.exe File opened for modification C:\Windows\SysWOW64\Lfmffhde.exe Lgjfkk32.exe File opened for modification C:\Windows\SysWOW64\Njlockkm.exe Nhkbkc32.exe File created C:\Windows\SysWOW64\Nmpnhdfc.exe Niebhf32.exe File created C:\Windows\SysWOW64\Alegac32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Keoapb32.exe Kjjmbj32.exe File opened for modification C:\Windows\SysWOW64\Fpqdkf32.exe Fmbhok32.exe File created C:\Windows\SysWOW64\Ileiplhn.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Lbgafalg.dll Jocflgga.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jbgkcb32.exe File created C:\Windows\SysWOW64\Jchhkjhn.exe Jdehon32.exe File created C:\Windows\SysWOW64\Jnpinc32.exe Jjdmmdnh.exe File created C:\Windows\SysWOW64\Kihqkagp.exe Jgidao32.exe File created C:\Windows\SysWOW64\Fjngcolf.dll Lbfdaigg.exe File created C:\Windows\SysWOW64\Fgpimg32.dll Bekkcljk.exe File created C:\Windows\SysWOW64\Pikhak32.dll Lnbbbffj.exe File opened for modification C:\Windows\SysWOW64\Lfdmggnm.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Ajdlmi32.dll Meijhc32.exe File created C:\Windows\SysWOW64\Necfoajd.dll Ombapedi.exe File created C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Effcma32.exe Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File opened for modification C:\Windows\SysWOW64\Gmdadnkh.exe Gjfdhbld.exe File created C:\Windows\SysWOW64\Cpdcnhnl.dll Jjbpgd32.exe File opened for modification C:\Windows\SysWOW64\Lemaif32.exe Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dknekeef.exe File created C:\Windows\SysWOW64\Bjidgghp.dll Dknekeef.exe File created C:\Windows\SysWOW64\Maiooo32.dll Fagjnn32.exe File created C:\Windows\SysWOW64\Kilfcpqm.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Daifmohp.dll Mbkmlh32.exe File opened for modification C:\Windows\SysWOW64\Amfcikek.exe Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bidjnkdg.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Doehqead.exe File created C:\Windows\SysWOW64\Fmpkjkma.exe Fjaonpnn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginnnooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckmmp32.dll" Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnbbbffj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll" Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll" Mkklljmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heldepab.dll" Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjpeifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igonafba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocflgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnqkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdbkjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illgimph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmhnm32.dll" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhqpo32.dll" Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcpjmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngfflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibebkc32.dll" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpebiecm.dll" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgogg32.dll" Mhgmapfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffhpbacb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2056 1688 275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 2056 1688 275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 2056 1688 275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 2056 1688 275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe 28 PID 2056 wrote to memory of 2604 2056 Jgidao32.exe 29 PID 2056 wrote to memory of 2604 2056 Jgidao32.exe 29 PID 2056 wrote to memory of 2604 2056 Jgidao32.exe 29 PID 2056 wrote to memory of 2604 2056 Jgidao32.exe 29 PID 2604 wrote to memory of 2812 2604 Kihqkagp.exe 30 PID 2604 wrote to memory of 2812 2604 Kihqkagp.exe 30 PID 2604 wrote to memory of 2812 2604 Kihqkagp.exe 30 PID 2604 wrote to memory of 2812 2604 Kihqkagp.exe 30 PID 2812 wrote to memory of 2276 2812 Kjjmbj32.exe 31 PID 2812 wrote to memory of 2276 2812 Kjjmbj32.exe 31 PID 2812 wrote to memory of 2276 2812 Kjjmbj32.exe 31 PID 2812 wrote to memory of 2276 2812 Kjjmbj32.exe 31 PID 2276 wrote to memory of 2848 2276 Keoapb32.exe 32 PID 2276 wrote to memory of 2848 2276 Keoapb32.exe 32 PID 2276 wrote to memory of 2848 2276 Keoapb32.exe 32 PID 2276 wrote to memory of 2848 2276 Keoapb32.exe 32 PID 2848 wrote to memory of 2700 2848 Kgnnln32.exe 33 PID 2848 wrote to memory of 2700 2848 Kgnnln32.exe 33 PID 2848 wrote to memory of 2700 2848 Kgnnln32.exe 33 PID 2848 wrote to memory of 2700 2848 Kgnnln32.exe 33 PID 2700 wrote to memory of 2976 2700 Keanebkb.exe 34 PID 2700 wrote to memory of 2976 2700 Keanebkb.exe 34 PID 2700 wrote to memory of 2976 2700 Keanebkb.exe 34 PID 2700 wrote to memory of 2976 2700 Keanebkb.exe 34 PID 2976 wrote to memory of 1852 2976 Kjnfniii.exe 35 PID 2976 wrote to memory of 1852 2976 Kjnfniii.exe 35 PID 2976 wrote to memory of 1852 2976 Kjnfniii.exe 35 PID 2976 wrote to memory of 1852 2976 Kjnfniii.exe 35 PID 1852 wrote to memory of 2764 1852 Kgbggnhc.exe 36 PID 1852 wrote to memory of 2764 1852 Kgbggnhc.exe 36 PID 1852 wrote to memory of 2764 1852 Kgbggnhc.exe 36 PID 1852 wrote to memory of 2764 1852 Kgbggnhc.exe 36 PID 2764 wrote to memory of 1948 2764 Kaklpcoc.exe 37 PID 2764 wrote to memory of 1948 2764 Kaklpcoc.exe 37 PID 2764 wrote to memory of 1948 2764 Kaklpcoc.exe 37 PID 2764 wrote to memory of 1948 2764 Kaklpcoc.exe 37 PID 1948 wrote to memory of 2228 1948 Kifpdelo.exe 38 PID 1948 wrote to memory of 2228 1948 Kifpdelo.exe 38 PID 1948 wrote to memory of 2228 1948 Kifpdelo.exe 38 PID 1948 wrote to memory of 2228 1948 Kifpdelo.exe 38 PID 2228 wrote to memory of 1720 2228 Lldlqakb.exe 39 PID 2228 wrote to memory of 1720 2228 Lldlqakb.exe 39 PID 2228 wrote to memory of 1720 2228 Lldlqakb.exe 39 PID 2228 wrote to memory of 1720 2228 Lldlqakb.exe 39 PID 1720 wrote to memory of 572 1720 Lemaif32.exe 40 PID 1720 wrote to memory of 572 1720 Lemaif32.exe 40 PID 1720 wrote to memory of 572 1720 Lemaif32.exe 40 PID 1720 wrote to memory of 572 1720 Lemaif32.exe 40 PID 572 wrote to memory of 2860 572 Llfifq32.exe 41 PID 572 wrote to memory of 2860 572 Llfifq32.exe 41 PID 572 wrote to memory of 2860 572 Llfifq32.exe 41 PID 572 wrote to memory of 2860 572 Llfifq32.exe 41 PID 2860 wrote to memory of 2880 2860 Leonofpp.exe 42 PID 2860 wrote to memory of 2880 2860 Leonofpp.exe 42 PID 2860 wrote to memory of 2880 2860 Leonofpp.exe 42 PID 2860 wrote to memory of 2880 2860 Leonofpp.exe 42 PID 2880 wrote to memory of 2104 2880 Lliflp32.exe 43 PID 2880 wrote to memory of 2104 2880 Lliflp32.exe 43 PID 2880 wrote to memory of 2104 2880 Lliflp32.exe 43 PID 2880 wrote to memory of 2104 2880 Lliflp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\275b0c35ca131cfb165b0d988003f600_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe33⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe34⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe35⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe36⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe37⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe41⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe43⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe45⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe47⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe50⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe51⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe52⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe57⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe59⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe60⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe61⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe62⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe64⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe66⤵PID:1100
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe67⤵PID:1784
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe68⤵PID:1536
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe69⤵PID:1740
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe71⤵PID:1484
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe72⤵PID:348
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe73⤵PID:2740
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe74⤵PID:2540
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe75⤵PID:2568
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe76⤵PID:1048
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe77⤵PID:2136
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe78⤵PID:2688
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe79⤵PID:2432
-
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe80⤵PID:2412
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe81⤵PID:344
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe82⤵PID:876
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe83⤵PID:2364
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe84⤵PID:2776
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe85⤵PID:2312
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe86⤵PID:1128
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe87⤵PID:2376
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe88⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe89⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe90⤵PID:1776
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe91⤵PID:2732
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe92⤵PID:2548
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe93⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe94⤵PID:3024
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe95⤵PID:548
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe96⤵PID:1624
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe97⤵PID:1032
-
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe98⤵PID:684
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe99⤵PID:336
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe101⤵PID:3040
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe102⤵
- Drops file in System32 directory
PID:404 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe103⤵PID:2844
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe104⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe105⤵PID:2964
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe106⤵PID:1580
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe108⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe110⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe111⤵PID:2020
-
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe112⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe113⤵PID:2552
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe114⤵PID:2956
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe115⤵PID:1208
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe116⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe117⤵PID:1724
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe118⤵PID:808
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe119⤵PID:2816
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe120⤵PID:2200
-
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe121⤵PID:2984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-