Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 04:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe
-
Size
324KB
-
MD5
7fb2066d3b79e6c2bc83998f1d0ede30
-
SHA1
0c33ee6b1fe5303fea4593d1332e78cf018942a5
-
SHA256
727d27014b16eb9ab823816d7775d86e2b60630661edc93aa7793a338ae2d726
-
SHA512
045627d3790bc463e8f08b0cad8da5bb5ea4fd762d437cd3fbcb4a3de8320217a3e571d3bb9d6e99a3d6c2705f5da16c69f7c8da1393efd8595592620efa436a
-
SSDEEP
6144:36cEsVlljd3rKzwN8Jlljd3njPX9ZAk3f:KDgjpKXjtjP9Zt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekemhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdkma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhaebcen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhfnccl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clkndpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaicfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnaji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjnjqfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnjmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbmibhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihqmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqefhpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnoikqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iifokh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgbpihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmknaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmfddnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idacmfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conclk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoeoidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmnlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himcoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agffge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjfcecp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbgnpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoiokfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbnpqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmmhdhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofinnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqimk32.exe -
Executes dropped EXE 64 IoCs
pid Process 4428 Cpofpdgd.exe 3280 Capchmmb.exe 3352 Digkijmd.exe 720 Dhjkdg32.exe 1408 Dlegeemh.exe 2032 Doccaall.exe 3276 Dabpnlkp.exe 3456 Diihojkb.exe 4700 Dhlhjf32.exe 452 Dlgdkeje.exe 2568 Dpcpkc32.exe 3672 Dcalgo32.exe 448 Dephckaf.exe 3896 Djlddi32.exe 3452 Dhnepfpj.exe 772 Dljqpd32.exe 2312 Dohmlp32.exe 4500 Dcdimopp.exe 4672 Dagiil32.exe 3516 Debeijoc.exe 896 Djnaji32.exe 4656 Dllmfd32.exe 880 Dphifcoi.exe 4216 Dokjbp32.exe 4996 Dcfebonm.exe 4048 Daifnk32.exe 4344 Dfdbojmq.exe 2392 Djpnohej.exe 4924 Dhcnke32.exe 4284 Dpjflb32.exe 440 Domfgpca.exe 3420 Dchbhn32.exe 3432 Dakbckbe.exe 2620 Efgodj32.exe 2372 Ejbkehcg.exe 4884 Ehekqe32.exe 1996 Elagacbk.exe 5084 Epmcab32.exe 4408 Eckonn32.exe 2472 Ebnoikqb.exe 1812 Efikji32.exe 1344 Ejegjh32.exe 224 Ehhgfdho.exe 1072 Epopgbia.exe 856 Eoapbo32.exe 4232 Ecmlcmhe.exe 1952 Ebploj32.exe 5052 Eflhoigi.exe 4420 Eodlho32.exe 4980 Ecphimfb.exe 2544 Ebbidj32.exe 3932 Efneehef.exe 3184 Ejjqeg32.exe 3332 Ehlaaddj.exe 5004 Elhmablc.exe 3108 Eofinnkf.exe 4020 Eqfeha32.exe 3008 Ecdbdl32.exe 4316 Fbgbpihg.exe 4228 Fjnjqfij.exe 2400 Fomonm32.exe 1636 Fopldmcl.exe 4896 Fbnhphbp.exe 1424 Fihqmb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oneklm32.exe Ojgbfocc.exe File created C:\Windows\SysWOW64\Fllceb32.dll Dhnepfpj.exe File created C:\Windows\SysWOW64\Ehbccoaj.dll Hpenfjad.exe File created C:\Windows\SysWOW64\Jangmibi.exe Jfhbppbc.exe File opened for modification C:\Windows\SysWOW64\Bhkhibmc.exe Bdolhc32.exe File created C:\Windows\SysWOW64\Ehgqln32.exe Edkdkplj.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Fqohnp32.exe Fihqmb32.exe File opened for modification C:\Windows\SysWOW64\Ibagcc32.exe Ipckgh32.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pncgmkmj.exe File opened for modification C:\Windows\SysWOW64\Pfolbmje.exe Pgllfp32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Chkede32.dll Eckonn32.exe File created C:\Windows\SysWOW64\Bbifelba.exe Blpnib32.exe File created C:\Windows\SysWOW64\Eoodnhmi.dll Eoapbo32.exe File created C:\Windows\SysWOW64\Nqiogp32.exe Nnjbke32.exe File opened for modification C:\Windows\SysWOW64\Kbapjafe.exe Kaqcbi32.exe File created C:\Windows\SysWOW64\Flgmek32.dll Baaplhef.exe File created C:\Windows\SysWOW64\Bpqnnk32.dll Iabgaklg.exe File created C:\Windows\SysWOW64\Jiikak32.exe Jfkoeppq.exe File opened for modification C:\Windows\SysWOW64\Ahkobekf.exe Aelcfilb.exe File created C:\Windows\SysWOW64\Nlmbpgdl.dll Ehimanbq.exe File created C:\Windows\SysWOW64\Dephckaf.exe Dcalgo32.exe File opened for modification C:\Windows\SysWOW64\Mamleegg.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Mjdgcbkb.dll Bbgipldd.exe File opened for modification C:\Windows\SysWOW64\Bjdkjo32.exe Blbknaib.exe File created C:\Windows\SysWOW64\Ckpjfm32.exe Clnjjpod.exe File created C:\Windows\SysWOW64\Qfcfml32.exe Qmkadgpo.exe File opened for modification C:\Windows\SysWOW64\Fjnjqfij.exe Fbgbpihg.exe File created C:\Windows\SysWOW64\Pnnaog32.dll Okloegjl.exe File created C:\Windows\SysWOW64\Phfkqkek.dll Ahkobekf.exe File opened for modification C:\Windows\SysWOW64\Bnlnon32.exe Blmacb32.exe File created C:\Windows\SysWOW64\Chncif32.dll Ehljfnpn.exe File created C:\Windows\SysWOW64\Hmcjlfqa.dll Qffbbldm.exe File created C:\Windows\SysWOW64\Cniohj32.dll Ebnoikqb.exe File opened for modification C:\Windows\SysWOW64\Pcjapi32.exe Oqkdcn32.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Nloiakho.exe Neeqea32.exe File created C:\Windows\SysWOW64\Nnqbanmo.exe Nfjjppmm.exe File created C:\Windows\SysWOW64\Njkdbljm.dll Eapedd32.exe File created C:\Windows\SysWOW64\Ggcjqj32.dll Jiphkm32.exe File created C:\Windows\SysWOW64\Mamleegg.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Gnpllc32.dll Nfjjppmm.exe File opened for modification C:\Windows\SysWOW64\Caebma32.exe Cabfga32.exe File created C:\Windows\SysWOW64\Omfnojog.dll Jjpeepnb.exe File created C:\Windows\SysWOW64\Kdihjfbe.dll Fkmchi32.exe File created C:\Windows\SysWOW64\Abngjnmo.exe Anbkio32.exe File created C:\Windows\SysWOW64\Cnkplejl.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Dkfpkkqa.dll Gjclbc32.exe File opened for modification C:\Windows\SysWOW64\Ifjfnb32.exe Ibojncfj.exe File created C:\Windows\SysWOW64\Demecd32.exe Daaicfgd.exe File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe Qffbbldm.exe File created C:\Windows\SysWOW64\Qnhahj32.exe Pcbmka32.exe File created C:\Windows\SysWOW64\Gcddpdpo.exe Gcagkdba.exe File created C:\Windows\SysWOW64\Jidklf32.exe Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Jpgdbg32.exe Jaedgjjd.exe File created C:\Windows\SysWOW64\Hjqaij32.dll Dkoggkjo.exe File created C:\Windows\SysWOW64\Gdjjckag.exe Gfgjgo32.exe File created C:\Windows\SysWOW64\Odqjbebh.dll Helfik32.exe File opened for modification C:\Windows\SysWOW64\Pnfdcjkg.exe Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Hbhdmd32.exe Hpihai32.exe File opened for modification C:\Windows\SysWOW64\Cefoce32.exe Cbgbgj32.exe File created C:\Windows\SysWOW64\Maickled.dll Caebma32.exe File opened for modification C:\Windows\SysWOW64\Eflhoigi.exe Ebploj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13564 13480 WerFault.exe 680 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdhcbgd.dll" Bdmpcdfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpepcedo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blpnib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll" Fqohnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aealah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll" Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll" Mdmegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okhfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfpobpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijdhiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll" Hkdbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiklpin.dll" Dabpnlkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehekqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcpopjlq.dll" Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndcdmikd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll" Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caebma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjnop32.dll" Iifokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcojkhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll" Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdainc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll" Iiaephpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinlemia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplmmfmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkfblfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglkbhg.dll" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll" Llemdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkniapgh.dll" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" Gfbploob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljqpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgmcqggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" Lbabgh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 4428 1332 7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe 82 PID 1332 wrote to memory of 4428 1332 7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe 82 PID 1332 wrote to memory of 4428 1332 7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe 82 PID 4428 wrote to memory of 3280 4428 Cpofpdgd.exe 83 PID 4428 wrote to memory of 3280 4428 Cpofpdgd.exe 83 PID 4428 wrote to memory of 3280 4428 Cpofpdgd.exe 83 PID 3280 wrote to memory of 3352 3280 Capchmmb.exe 84 PID 3280 wrote to memory of 3352 3280 Capchmmb.exe 84 PID 3280 wrote to memory of 3352 3280 Capchmmb.exe 84 PID 3352 wrote to memory of 720 3352 Digkijmd.exe 85 PID 3352 wrote to memory of 720 3352 Digkijmd.exe 85 PID 3352 wrote to memory of 720 3352 Digkijmd.exe 85 PID 720 wrote to memory of 1408 720 Dhjkdg32.exe 86 PID 720 wrote to memory of 1408 720 Dhjkdg32.exe 86 PID 720 wrote to memory of 1408 720 Dhjkdg32.exe 86 PID 1408 wrote to memory of 2032 1408 Dlegeemh.exe 87 PID 1408 wrote to memory of 2032 1408 Dlegeemh.exe 87 PID 1408 wrote to memory of 2032 1408 Dlegeemh.exe 87 PID 2032 wrote to memory of 3276 2032 Doccaall.exe 88 PID 2032 wrote to memory of 3276 2032 Doccaall.exe 88 PID 2032 wrote to memory of 3276 2032 Doccaall.exe 88 PID 3276 wrote to memory of 3456 3276 Dabpnlkp.exe 89 PID 3276 wrote to memory of 3456 3276 Dabpnlkp.exe 89 PID 3276 wrote to memory of 3456 3276 Dabpnlkp.exe 89 PID 3456 wrote to memory of 4700 3456 Diihojkb.exe 90 PID 3456 wrote to memory of 4700 3456 Diihojkb.exe 90 PID 3456 wrote to memory of 4700 3456 Diihojkb.exe 90 PID 4700 wrote to memory of 452 4700 Dhlhjf32.exe 91 PID 4700 wrote to memory of 452 4700 Dhlhjf32.exe 91 PID 4700 wrote to memory of 452 4700 Dhlhjf32.exe 91 PID 452 wrote to memory of 2568 452 Dlgdkeje.exe 92 PID 452 wrote to memory of 2568 452 Dlgdkeje.exe 92 PID 452 wrote to memory of 2568 452 Dlgdkeje.exe 92 PID 2568 wrote to memory of 3672 2568 Dpcpkc32.exe 93 PID 2568 wrote to memory of 3672 2568 Dpcpkc32.exe 93 PID 2568 wrote to memory of 3672 2568 Dpcpkc32.exe 93 PID 3672 wrote to memory of 448 3672 Dcalgo32.exe 94 PID 3672 wrote to memory of 448 3672 Dcalgo32.exe 94 PID 3672 wrote to memory of 448 3672 Dcalgo32.exe 94 PID 448 wrote to memory of 3896 448 Dephckaf.exe 95 PID 448 wrote to memory of 3896 448 Dephckaf.exe 95 PID 448 wrote to memory of 3896 448 Dephckaf.exe 95 PID 3896 wrote to memory of 3452 3896 Djlddi32.exe 96 PID 3896 wrote to memory of 3452 3896 Djlddi32.exe 96 PID 3896 wrote to memory of 3452 3896 Djlddi32.exe 96 PID 3452 wrote to memory of 772 3452 Dhnepfpj.exe 97 PID 3452 wrote to memory of 772 3452 Dhnepfpj.exe 97 PID 3452 wrote to memory of 772 3452 Dhnepfpj.exe 97 PID 772 wrote to memory of 2312 772 Dljqpd32.exe 98 PID 772 wrote to memory of 2312 772 Dljqpd32.exe 98 PID 772 wrote to memory of 2312 772 Dljqpd32.exe 98 PID 2312 wrote to memory of 4500 2312 Dohmlp32.exe 99 PID 2312 wrote to memory of 4500 2312 Dohmlp32.exe 99 PID 2312 wrote to memory of 4500 2312 Dohmlp32.exe 99 PID 4500 wrote to memory of 4672 4500 Dcdimopp.exe 100 PID 4500 wrote to memory of 4672 4500 Dcdimopp.exe 100 PID 4500 wrote to memory of 4672 4500 Dcdimopp.exe 100 PID 4672 wrote to memory of 3516 4672 Dagiil32.exe 101 PID 4672 wrote to memory of 3516 4672 Dagiil32.exe 101 PID 4672 wrote to memory of 3516 4672 Dagiil32.exe 101 PID 3516 wrote to memory of 896 3516 Debeijoc.exe 102 PID 3516 wrote to memory of 896 3516 Debeijoc.exe 102 PID 3516 wrote to memory of 896 3516 Debeijoc.exe 102 PID 896 wrote to memory of 4656 896 Djnaji32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7fb2066d3b79e6c2bc83998f1d0ede30_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe23⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe24⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe25⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe26⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe27⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe28⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe29⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe30⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe31⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe32⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe33⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe34⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe35⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe36⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe38⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe42⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe43⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe44⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe45⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe47⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe49⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe50⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe51⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe52⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe53⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe55⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe56⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe58⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe59⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe63⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe64⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe66⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4044 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe68⤵PID:5012
-
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe69⤵PID:4272
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe70⤵PID:1100
-
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe71⤵PID:3444
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe72⤵PID:4184
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe73⤵PID:1088
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe74⤵PID:2600
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe75⤵PID:3876
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe76⤵PID:3312
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe77⤵PID:2264
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe78⤵PID:1012
-
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe79⤵PID:3248
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1292 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe81⤵PID:432
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe82⤵PID:992
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe83⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe84⤵PID:2848
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe85⤵PID:2448
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe86⤵PID:4304
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe87⤵PID:3460
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe88⤵PID:4480
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1200 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe90⤵PID:1556
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe92⤵PID:884
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4472 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe94⤵PID:400
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe95⤵PID:2000
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe96⤵PID:3804
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe97⤵PID:1700
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe98⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe99⤵PID:5160
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe100⤵PID:5204
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe101⤵PID:5248
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe103⤵PID:5340
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe104⤵PID:5388
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe105⤵PID:5424
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe106⤵PID:5472
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe107⤵PID:5516
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe109⤵PID:5596
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe110⤵PID:5632
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe111⤵PID:5684
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe112⤵PID:5732
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe114⤵PID:5844
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe115⤵PID:5888
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe116⤵PID:5936
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe117⤵
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe118⤵PID:6024
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe119⤵PID:6068
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe120⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-