Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 11:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
2103faba533facf6915b46df5db377c0
-
SHA1
39843c8d4b401930e355d93009ade48a3a87767e
-
SHA256
a40972daff7dd9c66e9c4fea47c65448ce4c8b0cf8d5a5c7d9bcbdd83d0a3987
-
SHA512
4595c20382b4e74422349ad77f68780b284f5994c0adeffd470281220443239de3838e56c03102151378b57d6dbc3746491ab034776f2381138ae6714994ea94
-
SSDEEP
1536:Kw2Lf6Yt55OFl53XozO6IM1iV/N+zL20gJi1i9:T2Lf6Yt55OFlGfiV/gzL20WKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibebfpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiccofna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igihbknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkameaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkoplhip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadminnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakcimgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmkcoap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbhok32.exe -
Executes dropped EXE 64 IoCs
pid Process 2848 Apcfahio.exe 2712 Ahokfj32.exe 2632 Bagpopmj.exe 2432 Bkodhe32.exe 2524 Bdhhqk32.exe 2664 Bloqah32.exe 2952 Bnpmipql.exe 2796 Begeknan.exe 2944 Bghabf32.exe 1016 Bnbjopoi.exe 1728 Bdlblj32.exe 2760 Bgknheej.exe 1264 Bpcbqk32.exe 2272 Bcaomf32.exe 2164 Cngcjo32.exe 540 Cdakgibq.exe 1468 Cjndop32.exe 2948 Cnippoha.exe 984 Coklgg32.exe 2004 Ccfhhffh.exe 1384 Cgbdhd32.exe 804 Cjpqdp32.exe 908 Clomqk32.exe 1820 Comimg32.exe 2216 Cfgaiaci.exe 2840 Cjbmjplb.exe 2636 Cbnbobin.exe 2548 Chhjkl32.exe 2700 Ckffgg32.exe 2452 Dbpodagk.exe 2596 Dflkdp32.exe 2440 Dgmglh32.exe 1288 Dkhcmgnl.exe 2820 Dngoibmo.exe 2832 Dnilobkm.exe 2808 Dbehoa32.exe 844 Ddcdkl32.exe 2748 Dcfdgiid.exe 360 Dkmmhf32.exe 676 Dmoipopd.exe 640 Ddeaalpg.exe 2120 Dfgmhd32.exe 828 Djbiicon.exe 1752 Dmafennb.exe 336 Dqlafm32.exe 1188 Doobajme.exe 2852 Dgfjbgmh.exe 1920 Dfijnd32.exe 2404 Djefobmk.exe 2564 Emcbkn32.exe 2872 Eqonkmdh.exe 1536 Epaogi32.exe 2956 Ecmkghcl.exe 2428 Eflgccbp.exe 2364 Ejgcdb32.exe 2448 Eijcpoac.exe 2660 Emeopn32.exe 2624 Ekholjqg.exe 2248 Ecpgmhai.exe 2276 Efncicpm.exe 1800 Eilpeooq.exe 1252 Emhlfmgj.exe 2108 Ekklaj32.exe 688 Enihne32.exe -
Loads dropped DLL 64 IoCs
pid Process 1504 2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe 1504 2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe 2848 Apcfahio.exe 2848 Apcfahio.exe 2712 Ahokfj32.exe 2712 Ahokfj32.exe 2632 Bagpopmj.exe 2632 Bagpopmj.exe 2432 Bkodhe32.exe 2432 Bkodhe32.exe 2524 Bdhhqk32.exe 2524 Bdhhqk32.exe 2664 Bloqah32.exe 2664 Bloqah32.exe 2952 Bnpmipql.exe 2952 Bnpmipql.exe 2796 Begeknan.exe 2796 Begeknan.exe 2944 Bghabf32.exe 2944 Bghabf32.exe 1016 Bnbjopoi.exe 1016 Bnbjopoi.exe 1728 Bdlblj32.exe 1728 Bdlblj32.exe 2760 Bgknheej.exe 2760 Bgknheej.exe 1264 Bpcbqk32.exe 1264 Bpcbqk32.exe 2272 Bcaomf32.exe 2272 Bcaomf32.exe 2164 Cngcjo32.exe 2164 Cngcjo32.exe 540 Cdakgibq.exe 540 Cdakgibq.exe 1468 Cjndop32.exe 1468 Cjndop32.exe 2948 Cnippoha.exe 2948 Cnippoha.exe 984 Coklgg32.exe 984 Coklgg32.exe 2004 Ccfhhffh.exe 2004 Ccfhhffh.exe 1384 Cgbdhd32.exe 1384 Cgbdhd32.exe 804 Cjpqdp32.exe 804 Cjpqdp32.exe 908 Clomqk32.exe 908 Clomqk32.exe 1820 Comimg32.exe 1820 Comimg32.exe 2216 Cfgaiaci.exe 2216 Cfgaiaci.exe 2840 Cjbmjplb.exe 2840 Cjbmjplb.exe 2636 Cbnbobin.exe 2636 Cbnbobin.exe 2548 Chhjkl32.exe 2548 Chhjkl32.exe 2700 Ckffgg32.exe 2700 Ckffgg32.exe 2452 Dbpodagk.exe 2452 Dbpodagk.exe 2596 Dflkdp32.exe 2596 Dflkdp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cmbmkg32.dll Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Icbimi32.exe File created C:\Windows\SysWOW64\Lhpbmi32.dll Hiknhbcg.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File created C:\Windows\SysWOW64\Ofbjgh32.dll Meagci32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dogefd32.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Dhbfdjdp.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Ejmebq32.exe File created C:\Windows\SysWOW64\Mjbkcgmo.dll Jgagfi32.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kbdklf32.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Hiqbndpb.exe Hknach32.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File created C:\Windows\SysWOW64\Nocnbmoo.exe Nkgbbo32.exe File opened for modification C:\Windows\SysWOW64\Pgioaa32.exe Ppbfpd32.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Eqpgol32.exe File created C:\Windows\SysWOW64\Oegbkc32.dll Hhjapjmi.exe File created C:\Windows\SysWOW64\Hcpbee32.dll Migbnb32.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Facdeo32.exe File opened for modification C:\Windows\SysWOW64\Magqncba.exe Mmldme32.exe File created C:\Windows\SysWOW64\Kgnnln32.exe Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Kaklpcoc.exe Kiccofna.exe File opened for modification C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Jbllihbf.exe Jkbcln32.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Ipllekdl.exe File opened for modification C:\Windows\SysWOW64\Kpjhkjde.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fejgko32.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nkgbbo32.exe File created C:\Windows\SysWOW64\Emjjdbdn.dll Ngnbgplj.exe File created C:\Windows\SysWOW64\Npfgpe32.exe Nnhkcj32.exe File opened for modification C:\Windows\SysWOW64\Bhkdeggl.exe Baakhm32.exe File created C:\Windows\SysWOW64\Gpqpjj32.exe Gifhnpea.exe File created C:\Windows\SysWOW64\Lgpmbcmh.dll Lfbpag32.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Geolea32.exe File created C:\Windows\SysWOW64\Ikkbnm32.dll Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Lhmjkaoc.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Nhfipcid.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Njmggi32.dll Ejhlgaeh.exe File opened for modification C:\Windows\SysWOW64\Hpbiommg.exe Hmdmcanc.exe File opened for modification C:\Windows\SysWOW64\Hdqbekcm.exe Habfipdj.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Aadlcdpk.dll Linphc32.exe File created C:\Windows\SysWOW64\Dgalgjnb.dll Jdbkjn32.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Eloemi32.exe File created C:\Windows\SysWOW64\Filldb32.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mlibjc32.exe File created C:\Windows\SysWOW64\Ocimgp32.exe Oqkqkdne.exe File opened for modification C:\Windows\SysWOW64\Ginnnooi.exe Gfobbc32.exe File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ghmiam32.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gddifnbk.exe File created C:\Windows\SysWOW64\Egahmk32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Llcefjgf.exe Leimip32.exe File created C:\Windows\SysWOW64\Enkece32.exe Elmigj32.exe File created C:\Windows\SysWOW64\Daoiajfm.dll Loeebl32.exe File created C:\Windows\SysWOW64\Ehdqecfo.dll Gbaileio.exe File created C:\Windows\SysWOW64\Mpjmjp32.dll Iedkbc32.exe File created C:\Windows\SysWOW64\Khpnecca.dll Jmplcp32.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gphmeo32.exe File created C:\Windows\SysWOW64\Fnpnndgp.exe Flabbihl.exe File created C:\Windows\SysWOW64\Kaaijdgn.exe Joplbl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5728 5712 WerFault.exe 510 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhdknh.dll" Fadminnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifiacd32.dll" Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkcofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eilpeooq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiiddiab.dll" Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfeekif.dll" Gfobbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmjgeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" Omfkke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll" Dkcofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgafalg.dll" Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kohkfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdmggnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbiipml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpli32.dll" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabqfggi.dll" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" Mgalqkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnennj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmbnkhg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1504 wrote to memory of 2848 1504 2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe 28 PID 1504 wrote to memory of 2848 1504 2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe 28 PID 1504 wrote to memory of 2848 1504 2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe 28 PID 1504 wrote to memory of 2848 1504 2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe 28 PID 2848 wrote to memory of 2712 2848 Apcfahio.exe 29 PID 2848 wrote to memory of 2712 2848 Apcfahio.exe 29 PID 2848 wrote to memory of 2712 2848 Apcfahio.exe 29 PID 2848 wrote to memory of 2712 2848 Apcfahio.exe 29 PID 2712 wrote to memory of 2632 2712 Ahokfj32.exe 30 PID 2712 wrote to memory of 2632 2712 Ahokfj32.exe 30 PID 2712 wrote to memory of 2632 2712 Ahokfj32.exe 30 PID 2712 wrote to memory of 2632 2712 Ahokfj32.exe 30 PID 2632 wrote to memory of 2432 2632 Bagpopmj.exe 31 PID 2632 wrote to memory of 2432 2632 Bagpopmj.exe 31 PID 2632 wrote to memory of 2432 2632 Bagpopmj.exe 31 PID 2632 wrote to memory of 2432 2632 Bagpopmj.exe 31 PID 2432 wrote to memory of 2524 2432 Bkodhe32.exe 32 PID 2432 wrote to memory of 2524 2432 Bkodhe32.exe 32 PID 2432 wrote to memory of 2524 2432 Bkodhe32.exe 32 PID 2432 wrote to memory of 2524 2432 Bkodhe32.exe 32 PID 2524 wrote to memory of 2664 2524 Bdhhqk32.exe 33 PID 2524 wrote to memory of 2664 2524 Bdhhqk32.exe 33 PID 2524 wrote to memory of 2664 2524 Bdhhqk32.exe 33 PID 2524 wrote to memory of 2664 2524 Bdhhqk32.exe 33 PID 2664 wrote to memory of 2952 2664 Bloqah32.exe 34 PID 2664 wrote to memory of 2952 2664 Bloqah32.exe 34 PID 2664 wrote to memory of 2952 2664 Bloqah32.exe 34 PID 2664 wrote to memory of 2952 2664 Bloqah32.exe 34 PID 2952 wrote to memory of 2796 2952 Bnpmipql.exe 35 PID 2952 wrote to memory of 2796 2952 Bnpmipql.exe 35 PID 2952 wrote to memory of 2796 2952 Bnpmipql.exe 35 PID 2952 wrote to memory of 2796 2952 Bnpmipql.exe 35 PID 2796 wrote to memory of 2944 2796 Begeknan.exe 36 PID 2796 wrote to memory of 2944 2796 Begeknan.exe 36 PID 2796 wrote to memory of 2944 2796 Begeknan.exe 36 PID 2796 wrote to memory of 2944 2796 Begeknan.exe 36 PID 2944 wrote to memory of 1016 2944 Bghabf32.exe 37 PID 2944 wrote to memory of 1016 2944 Bghabf32.exe 37 PID 2944 wrote to memory of 1016 2944 Bghabf32.exe 37 PID 2944 wrote to memory of 1016 2944 Bghabf32.exe 37 PID 1016 wrote to memory of 1728 1016 Bnbjopoi.exe 38 PID 1016 wrote to memory of 1728 1016 Bnbjopoi.exe 38 PID 1016 wrote to memory of 1728 1016 Bnbjopoi.exe 38 PID 1016 wrote to memory of 1728 1016 Bnbjopoi.exe 38 PID 1728 wrote to memory of 2760 1728 Bdlblj32.exe 39 PID 1728 wrote to memory of 2760 1728 Bdlblj32.exe 39 PID 1728 wrote to memory of 2760 1728 Bdlblj32.exe 39 PID 1728 wrote to memory of 2760 1728 Bdlblj32.exe 39 PID 2760 wrote to memory of 1264 2760 Bgknheej.exe 40 PID 2760 wrote to memory of 1264 2760 Bgknheej.exe 40 PID 2760 wrote to memory of 1264 2760 Bgknheej.exe 40 PID 2760 wrote to memory of 1264 2760 Bgknheej.exe 40 PID 1264 wrote to memory of 2272 1264 Bpcbqk32.exe 41 PID 1264 wrote to memory of 2272 1264 Bpcbqk32.exe 41 PID 1264 wrote to memory of 2272 1264 Bpcbqk32.exe 41 PID 1264 wrote to memory of 2272 1264 Bpcbqk32.exe 41 PID 2272 wrote to memory of 2164 2272 Bcaomf32.exe 42 PID 2272 wrote to memory of 2164 2272 Bcaomf32.exe 42 PID 2272 wrote to memory of 2164 2272 Bcaomf32.exe 42 PID 2272 wrote to memory of 2164 2272 Bcaomf32.exe 42 PID 2164 wrote to memory of 540 2164 Cngcjo32.exe 43 PID 2164 wrote to memory of 540 2164 Cngcjo32.exe 43 PID 2164 wrote to memory of 540 2164 Cngcjo32.exe 43 PID 2164 wrote to memory of 540 2164 Cngcjo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2103faba533facf6915b46df5db377c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe33⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe35⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe36⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe37⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe38⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe39⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe40⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe41⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe42⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe43⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe46⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe47⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe48⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe50⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe51⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe54⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe55⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe56⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe57⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe59⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe61⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe65⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe67⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe68⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe69⤵PID:268
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe70⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe71⤵PID:2148
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe72⤵PID:1844
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe73⤵PID:2240
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe74⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe75⤵PID:2728
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe76⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe77⤵PID:1344
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe79⤵PID:896
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe80⤵PID:2732
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe81⤵PID:2380
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe82⤵PID:2480
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe83⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe84⤵PID:780
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe85⤵PID:1860
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe86⤵PID:2884
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe87⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe88⤵PID:2616
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe90⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe91⤵PID:2528
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe93⤵PID:2208
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe94⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe95⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe97⤵PID:2972
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe98⤵PID:2488
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe99⤵PID:1632
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe100⤵PID:1088
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe101⤵PID:2104
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe103⤵PID:1748
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe104⤵PID:1312
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe105⤵PID:1948
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe107⤵PID:2516
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe108⤵PID:2792
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe109⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe111⤵PID:2780
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe112⤵PID:2040
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe113⤵PID:1700
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe114⤵PID:2260
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe115⤵PID:2136
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe116⤵PID:2000
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe117⤵PID:240
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe118⤵PID:1788
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe119⤵PID:2668
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-