Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 18:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe
-
Size
52KB
-
MD5
485cd66b456d6304036088909ffbedc0
-
SHA1
d0b7181e269315302c33bf8fa82aec676643c641
-
SHA256
d75e4e9019f0021610e3aadcd759805260885ec95bf5ad503fbba88bcf8e7024
-
SHA512
e14d9bef7bdc59871058e72ec277f4cd409357952d76b39e12946a17dae7725fbd1b9aa64d17a3c12d6c044c35297784ee61d3f236829d074ddbec4ff921f825
-
SSDEEP
768:B2V/6dpFxtde+Mj4m4eQHo7R++/bOdoOwPV5PXnA4h2/34Q/1H5F/s/MABvKWe:0Vydvxze+Mj4mZR/2IhXA/4WCMAdKZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmopod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giieco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdifkpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illgimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaiqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjpacfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogangdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoamgd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2968 Bkodhe32.exe 2628 Beehencq.exe 2572 Bdhhqk32.exe 2920 Bkaqmeah.exe 2400 Bommnc32.exe 2128 Bdjefj32.exe 2648 Bghabf32.exe 2576 Banepo32.exe 1572 Bdlblj32.exe 1632 Bjijdadm.exe 1316 Baqbenep.exe 2872 Bcaomf32.exe 2224 Cjlgiqbk.exe 2076 Cpeofk32.exe 336 Cdakgibq.exe 2824 Cphlljge.exe 1232 Cfeddafl.exe 1108 Clomqk32.exe 864 Cpjiajeb.exe 1888 Cfgaiaci.exe 3044 Chemfl32.exe 612 Cbnbobin.exe 1708 Cdlnkmha.exe 1500 Ckffgg32.exe 2532 Dbpodagk.exe 2624 Dkhcmgnl.exe 2688 Dngoibmo.exe 2528 Dqelenlc.exe 2884 Dkkpbgli.exe 2148 Dcfdgiid.exe 2704 Dgaqgh32.exe 556 Dmoipopd.exe 1796 Ddeaalpg.exe 2780 Dfgmhd32.exe 2364 Djbiicon.exe 3000 Dnneja32.exe 2232 Dqlafm32.exe 564 Dcknbh32.exe 1992 Dgfjbgmh.exe 1724 Djefobmk.exe 2084 Emcbkn32.exe 2980 Eqonkmdh.exe 2568 Epaogi32.exe 948 Ecmkghcl.exe 896 Ebpkce32.exe 2092 Eflgccbp.exe 1428 Emeopn32.exe 2684 Ekholjqg.exe 2560 Epdkli32.exe 2388 Ebbgid32.exe 2152 Efncicpm.exe 2664 Emhlfmgj.exe 356 Epfhbign.exe 1228 Enihne32.exe 2180 Ebedndfa.exe 2044 Eecqjpee.exe 1248 Eiomkn32.exe 2056 Elmigj32.exe 2248 Enkece32.exe 592 Eajaoq32.exe 2100 Eeempocb.exe 2992 Egdilkbf.exe 1292 Eloemi32.exe 1920 Ennaieib.exe -
Loads dropped DLL 64 IoCs
pid Process 2320 485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe 2320 485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe 2968 Bkodhe32.exe 2968 Bkodhe32.exe 2628 Beehencq.exe 2628 Beehencq.exe 2572 Bdhhqk32.exe 2572 Bdhhqk32.exe 2920 Bkaqmeah.exe 2920 Bkaqmeah.exe 2400 Bommnc32.exe 2400 Bommnc32.exe 2128 Bdjefj32.exe 2128 Bdjefj32.exe 2648 Bghabf32.exe 2648 Bghabf32.exe 2576 Banepo32.exe 2576 Banepo32.exe 1572 Bdlblj32.exe 1572 Bdlblj32.exe 1632 Bjijdadm.exe 1632 Bjijdadm.exe 1316 Baqbenep.exe 1316 Baqbenep.exe 2872 Bcaomf32.exe 2872 Bcaomf32.exe 2224 Cjlgiqbk.exe 2224 Cjlgiqbk.exe 2076 Cpeofk32.exe 2076 Cpeofk32.exe 336 Cdakgibq.exe 336 Cdakgibq.exe 2824 Cphlljge.exe 2824 Cphlljge.exe 1232 Cfeddafl.exe 1232 Cfeddafl.exe 1108 Clomqk32.exe 1108 Clomqk32.exe 864 Cpjiajeb.exe 864 Cpjiajeb.exe 1888 Cfgaiaci.exe 1888 Cfgaiaci.exe 3044 Chemfl32.exe 3044 Chemfl32.exe 612 Cbnbobin.exe 612 Cbnbobin.exe 1708 Cdlnkmha.exe 1708 Cdlnkmha.exe 1500 Ckffgg32.exe 1500 Ckffgg32.exe 2532 Dbpodagk.exe 2532 Dbpodagk.exe 2624 Dkhcmgnl.exe 2624 Dkhcmgnl.exe 2688 Dngoibmo.exe 2688 Dngoibmo.exe 2528 Dqelenlc.exe 2528 Dqelenlc.exe 2884 Dkkpbgli.exe 2884 Dkkpbgli.exe 2148 Dcfdgiid.exe 2148 Dcfdgiid.exe 2704 Dgaqgh32.exe 2704 Dgaqgh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Blnhfb32.dll Gaqcoc32.exe File created C:\Windows\SysWOW64\Nlbeqb32.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Jmplcp32.exe Jnmlhchd.exe File created C:\Windows\SysWOW64\Aadlcdpk.dll Lmikibio.exe File opened for modification C:\Windows\SysWOW64\Nkbhgojk.exe Nlphkb32.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bdbhke32.exe File created C:\Windows\SysWOW64\Ikkjbe32.exe Iccbqh32.exe File created C:\Windows\SysWOW64\Lnhplkhl.dll Ioolqh32.exe File created C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File opened for modification C:\Windows\SysWOW64\Kaaijdgn.exe Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Ceaadk32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bkodhe32.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eeempocb.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Ikhjki32.exe Ileiplhn.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Chfpgj32.dll Ombapedi.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pedleg32.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Qjfhfnim.dll Kklpekno.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kkaiqk32.exe File created C:\Windows\SysWOW64\Ghlpli32.dll Ifcbodli.exe File created C:\Windows\SysWOW64\Delpclld.dll Mijfnh32.exe File created C:\Windows\SysWOW64\Fikjha32.dll Aaobdjof.exe File created C:\Windows\SysWOW64\Jjpbahga.dll Kneicieh.exe File created C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pogclp32.exe File created C:\Windows\SysWOW64\Kegqdqbl.exe Kbidgeci.exe File created C:\Windows\SysWOW64\Gabqfggi.dll Labkdack.exe File created C:\Windows\SysWOW64\Pnlqnl32.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Behnnm32.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Olfeho32.dll Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Ncpcfkbg.exe Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Cpnojioo.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Elgkkpon.dll Cnobnmpl.exe File created C:\Windows\SysWOW64\Iefhhbef.exe Igchlf32.exe File created C:\Windows\SysWOW64\Ennaieib.exe Eloemi32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Egafleqm.exe File created C:\Windows\SysWOW64\Hdnepk32.exe Hpbiommg.exe File opened for modification C:\Windows\SysWOW64\Jmbiipml.exe Jnpinc32.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fdapak32.exe File created C:\Windows\SysWOW64\Jkdpanhg.exe Jifdebic.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Chboohof.dll Bbhela32.exe File created C:\Windows\SysWOW64\Gjdhbc32.exe Gfhladfn.exe File opened for modification C:\Windows\SysWOW64\Gmbdnn32.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Noomnjpj.dll Mpjqiq32.exe File created C:\Windows\SysWOW64\Oqideepg.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Jdgdempa.exe Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Mpjqiq32.exe File created C:\Windows\SysWOW64\Idhqkpcf.dll Lpbefoai.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Adpkee32.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Ndhipoob.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Epdkli32.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gangic32.exe File opened for modification C:\Windows\SysWOW64\Fhneehek.exe Fepiimfg.exe File created C:\Windows\SysWOW64\Kklcab32.dll Ncpcfkbg.exe File created C:\Windows\SysWOW64\Abhimnma.exe Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Ikkjbe32.exe Iccbqh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8168 8140 WerFault.exe 766 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmianb32.dll" Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoamgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecqjpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifjqh32.dll" Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpbmi32.dll" Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedolome.dll" Jnpinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Ajejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfghif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fekpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" Mpjqiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lecgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leljop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Iqmcpahh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqfffqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nejiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necfoajd.dll" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhbhf32.dll" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihqkagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faigdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigbna32.dll" Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbkhq32.dll" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjeknjd.dll" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbipbbd.dll" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfqpega.dll" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfgbaoo.dll" Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bommnc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2968 2320 485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2968 2320 485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2968 2320 485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2968 2320 485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe 28 PID 2968 wrote to memory of 2628 2968 Bkodhe32.exe 29 PID 2968 wrote to memory of 2628 2968 Bkodhe32.exe 29 PID 2968 wrote to memory of 2628 2968 Bkodhe32.exe 29 PID 2968 wrote to memory of 2628 2968 Bkodhe32.exe 29 PID 2628 wrote to memory of 2572 2628 Beehencq.exe 30 PID 2628 wrote to memory of 2572 2628 Beehencq.exe 30 PID 2628 wrote to memory of 2572 2628 Beehencq.exe 30 PID 2628 wrote to memory of 2572 2628 Beehencq.exe 30 PID 2572 wrote to memory of 2920 2572 Bdhhqk32.exe 31 PID 2572 wrote to memory of 2920 2572 Bdhhqk32.exe 31 PID 2572 wrote to memory of 2920 2572 Bdhhqk32.exe 31 PID 2572 wrote to memory of 2920 2572 Bdhhqk32.exe 31 PID 2920 wrote to memory of 2400 2920 Bkaqmeah.exe 32 PID 2920 wrote to memory of 2400 2920 Bkaqmeah.exe 32 PID 2920 wrote to memory of 2400 2920 Bkaqmeah.exe 32 PID 2920 wrote to memory of 2400 2920 Bkaqmeah.exe 32 PID 2400 wrote to memory of 2128 2400 Bommnc32.exe 33 PID 2400 wrote to memory of 2128 2400 Bommnc32.exe 33 PID 2400 wrote to memory of 2128 2400 Bommnc32.exe 33 PID 2400 wrote to memory of 2128 2400 Bommnc32.exe 33 PID 2128 wrote to memory of 2648 2128 Bdjefj32.exe 34 PID 2128 wrote to memory of 2648 2128 Bdjefj32.exe 34 PID 2128 wrote to memory of 2648 2128 Bdjefj32.exe 34 PID 2128 wrote to memory of 2648 2128 Bdjefj32.exe 34 PID 2648 wrote to memory of 2576 2648 Bghabf32.exe 35 PID 2648 wrote to memory of 2576 2648 Bghabf32.exe 35 PID 2648 wrote to memory of 2576 2648 Bghabf32.exe 35 PID 2648 wrote to memory of 2576 2648 Bghabf32.exe 35 PID 2576 wrote to memory of 1572 2576 Banepo32.exe 36 PID 2576 wrote to memory of 1572 2576 Banepo32.exe 36 PID 2576 wrote to memory of 1572 2576 Banepo32.exe 36 PID 2576 wrote to memory of 1572 2576 Banepo32.exe 36 PID 1572 wrote to memory of 1632 1572 Bdlblj32.exe 37 PID 1572 wrote to memory of 1632 1572 Bdlblj32.exe 37 PID 1572 wrote to memory of 1632 1572 Bdlblj32.exe 37 PID 1572 wrote to memory of 1632 1572 Bdlblj32.exe 37 PID 1632 wrote to memory of 1316 1632 Bjijdadm.exe 38 PID 1632 wrote to memory of 1316 1632 Bjijdadm.exe 38 PID 1632 wrote to memory of 1316 1632 Bjijdadm.exe 38 PID 1632 wrote to memory of 1316 1632 Bjijdadm.exe 38 PID 1316 wrote to memory of 2872 1316 Baqbenep.exe 39 PID 1316 wrote to memory of 2872 1316 Baqbenep.exe 39 PID 1316 wrote to memory of 2872 1316 Baqbenep.exe 39 PID 1316 wrote to memory of 2872 1316 Baqbenep.exe 39 PID 2872 wrote to memory of 2224 2872 Bcaomf32.exe 40 PID 2872 wrote to memory of 2224 2872 Bcaomf32.exe 40 PID 2872 wrote to memory of 2224 2872 Bcaomf32.exe 40 PID 2872 wrote to memory of 2224 2872 Bcaomf32.exe 40 PID 2224 wrote to memory of 2076 2224 Cjlgiqbk.exe 41 PID 2224 wrote to memory of 2076 2224 Cjlgiqbk.exe 41 PID 2224 wrote to memory of 2076 2224 Cjlgiqbk.exe 41 PID 2224 wrote to memory of 2076 2224 Cjlgiqbk.exe 41 PID 2076 wrote to memory of 336 2076 Cpeofk32.exe 42 PID 2076 wrote to memory of 336 2076 Cpeofk32.exe 42 PID 2076 wrote to memory of 336 2076 Cpeofk32.exe 42 PID 2076 wrote to memory of 336 2076 Cpeofk32.exe 42 PID 336 wrote to memory of 2824 336 Cdakgibq.exe 43 PID 336 wrote to memory of 2824 336 Cdakgibq.exe 43 PID 336 wrote to memory of 2824 336 Cdakgibq.exe 43 PID 336 wrote to memory of 2824 336 Cdakgibq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\485cd66b456d6304036088909ffbedc0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe33⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe35⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe36⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe37⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe38⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe39⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe41⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe43⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe44⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe45⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe47⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe48⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe49⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe51⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe52⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe53⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe54⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe56⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe58⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe59⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe60⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe61⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe63⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe65⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe66⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe67⤵PID:1128
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe68⤵PID:2592
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe69⤵PID:2552
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe70⤵PID:2412
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe71⤵PID:2452
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe72⤵PID:2376
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe73⤵PID:2476
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe74⤵PID:2764
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe75⤵
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe76⤵PID:1540
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe77⤵PID:1148
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe78⤵PID:1912
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe79⤵PID:1208
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe80⤵PID:752
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe81⤵PID:2940
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe82⤵PID:2960
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe83⤵PID:2116
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe84⤵PID:828
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe85⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe86⤵PID:3028
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe87⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe88⤵PID:2384
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe89⤵PID:2504
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe90⤵PID:1576
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe91⤵PID:2700
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe92⤵PID:1584
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe93⤵PID:1672
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe94⤵PID:2016
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe95⤵PID:1916
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe96⤵PID:1416
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe97⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe98⤵PID:3024
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe99⤵PID:1472
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe100⤵PID:304
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe101⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe102⤵PID:332
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe103⤵PID:2596
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe104⤵PID:2876
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe105⤵PID:2444
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe106⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe107⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe109⤵PID:324
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe110⤵PID:1436
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe111⤵PID:636
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe112⤵PID:1408
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe113⤵PID:1676
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe114⤵PID:1700
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe116⤵PID:2868
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe117⤵PID:2924
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe118⤵PID:2392
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe120⤵PID:1244
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-