Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 17:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe
-
Size
55KB
-
MD5
0b16dabb0b7f768ce31a5f26794264f0
-
SHA1
9f7fd0d6956282731f04fc14fc398ff1c1e58d49
-
SHA256
cb67b766f04d90f68d094c70d0d6fdd494b691e493248a766885fc03576ca529
-
SHA512
20895bd497e3998f54324b8c95322b3957670f9f4bd3f4a33841ed64cb32a8c77ab2822c09eb9b7cf59ad5a1b2cee6e1444d1f706d0d5d105caff546d7c09e4a
-
SSDEEP
768:kNnfWAajhttK5yWhTU2L9NB23LppyTKIn3znQhGDkm6z2laaQyVitDa7tZBCtCO7:AfWRjNoykJPvT8GoViahyptZBS2LlG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgqln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpnfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjcolha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngjnmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbmco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogifjcdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceoibflm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkljak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbeidl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjdnoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdolh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Menjdbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhikcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabbjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmngglp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimnbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qloebdig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdgqfbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekemhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abemjmgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifbang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aminee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobkfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menjdbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmlgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopgjmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbknfed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfoeega.exe -
Executes dropped EXE 64 IoCs
pid Process 932 Qloebdig.exe 4388 Qalnjkgo.exe 2364 Aegikj32.exe 3000 Alabgd32.exe 1836 Abkjdnoa.exe 5116 Acmflf32.exe 4888 Aldomc32.exe 1912 Abngjnmo.exe 3460 Aelcfilb.exe 3684 Alfkbc32.exe 4216 Abpcon32.exe 4720 Aacckjaf.exe 3088 Ahmlgd32.exe 1008 Abbpem32.exe 1012 Aealah32.exe 3668 Ahoimd32.exe 2104 Ajneip32.exe 3244 Abemjmgg.exe 2604 Bdfibe32.exe 1608 Bhaebcen.exe 2736 Bnlnon32.exe 2168 Beeflhdh.exe 4284 Bhdbhcck.exe 1656 Bjbndobo.exe 2636 Bdkcmdhp.exe 2788 Blbknaib.exe 1812 Bopgjmhe.exe 3152 Baocghgi.exe 1468 Bhikcb32.exe 968 Bjghpn32.exe 1472 Bemlmgnp.exe 4348 Bdolhc32.exe 680 Blfdia32.exe 4212 Boepel32.exe 3364 Cbqlfkmi.exe 4036 Ceoibflm.exe 4000 Chmeobkq.exe 3164 Cklaknjd.exe 5020 Cbcilkjg.exe 1112 Cddecc32.exe 5040 Clkndpag.exe 4628 Cknnpm32.exe 4996 Cahfmgoo.exe 3156 Cdfbibnb.exe 4780 Chbnia32.exe 5088 Ckpjfm32.exe 628 Cajcbgml.exe 3016 Cefoce32.exe 3848 Clpgpp32.exe 3640 Cbjoljdo.exe 3992 Cdkldb32.exe 820 Clbceo32.exe 432 Doqpak32.exe 400 Daolnf32.exe 1524 Ddmhja32.exe 1184 Dldpkoil.exe 380 Daaicfgd.exe 212 Ddpeoafg.exe 2744 Dlgmpogj.exe 2824 Dbaemi32.exe 1120 Dhnnep32.exe 4664 Dkljak32.exe 5080 Dafbne32.exe 4448 Dddojq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdkfmkdc.dll Klqcioba.exe File created C:\Windows\SysWOW64\Nnjlpo32.exe Nebdoa32.exe File created C:\Windows\SysWOW64\Fjbodfcj.dll Agoabn32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cnkplejl.exe File opened for modification C:\Windows\SysWOW64\Mplhql32.exe Mlampmdo.exe File created C:\Windows\SysWOW64\Nlmllkja.exe Nnjlpo32.exe File created C:\Windows\SysWOW64\Qcgffqei.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Bhikcb32.exe Baocghgi.exe File opened for modification C:\Windows\SysWOW64\Cbqlfkmi.exe Boepel32.exe File created C:\Windows\SysWOW64\Lcjnop32.dll Imakkfdg.exe File created C:\Windows\SysWOW64\Ndqgbjkm.dll Jfhlejnh.exe File opened for modification C:\Windows\SysWOW64\Kebbafoj.exe Kpeiioac.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Dfiafg32.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Acqimo32.exe File created C:\Windows\SysWOW64\Chncif32.dll Edpnfo32.exe File opened for modification C:\Windows\SysWOW64\Jplfcpin.exe Jmmjgejj.exe File opened for modification C:\Windows\SysWOW64\Ncbknfed.exe Npcoakfp.exe File opened for modification C:\Windows\SysWOW64\Olmeci32.exe Ofcmfodb.exe File opened for modification C:\Windows\SysWOW64\Pcncpbmd.exe Pdkcde32.exe File created C:\Windows\SysWOW64\Hmcjlfqa.dll Adgbpc32.exe File created C:\Windows\SysWOW64\Kpeiioac.exe Kmfmmcbo.exe File created C:\Windows\SysWOW64\Nhgaocmg.dll Kbhoqj32.exe File created C:\Windows\SysWOW64\Deokon32.exe Daconoae.exe File created C:\Windows\SysWOW64\Cknnpm32.exe Clkndpag.exe File created C:\Windows\SysWOW64\Jpphah32.dll Jehokgge.exe File created C:\Windows\SysWOW64\Jpnchp32.exe Jidklf32.exe File created C:\Windows\SysWOW64\Oneklm32.exe Ofnckp32.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Calhnpgn.exe File opened for modification C:\Windows\SysWOW64\Daaicfgd.exe Dldpkoil.exe File opened for modification C:\Windows\SysWOW64\Iejcji32.exe Ifgbnlmj.exe File opened for modification C:\Windows\SysWOW64\Nlaegk32.exe Nnneknob.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Blbknaib.exe Bdkcmdhp.exe File created C:\Windows\SysWOW64\Dammlf32.dll Heocnk32.exe File created C:\Windows\SysWOW64\Jlnnmb32.exe Jedeph32.exe File opened for modification C:\Windows\SysWOW64\Npmagine.exe Nlaegk32.exe File created C:\Windows\SysWOW64\Ldamee32.dll Ocgmpccl.exe File created C:\Windows\SysWOW64\Ddpeoafg.exe Daaicfgd.exe File created C:\Windows\SysWOW64\Eeidoc32.exe Ecjhcg32.exe File opened for modification C:\Windows\SysWOW64\Nnneknob.exe Nfgmjqop.exe File created C:\Windows\SysWOW64\Papbpdoi.dll Qjoankoi.exe File created C:\Windows\SysWOW64\Jlklhm32.dll Anadoi32.exe File created C:\Windows\SysWOW64\Cnffqf32.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Caebma32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Eleiam32.exe Ednaqo32.exe File created C:\Windows\SysWOW64\Pkfcej32.dll Lebkhc32.exe File created C:\Windows\SysWOW64\Flfelggh.dll Mdhdajea.exe File created C:\Windows\SysWOW64\Llmglb32.dll Opdghh32.exe File created C:\Windows\SysWOW64\Bfhhoi32.exe Bgehcmmm.exe File created C:\Windows\SysWOW64\Bhicommo.dll Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Hjjgia32.dll Aegikj32.exe File created C:\Windows\SysWOW64\Qddina32.dll Hofdacke.exe File created C:\Windows\SysWOW64\Liddbc32.exe Lbjlfi32.exe File created C:\Windows\SysWOW64\Djoeni32.dll Odkjng32.exe File created C:\Windows\SysWOW64\Ambgef32.exe Anogiicl.exe File created C:\Windows\SysWOW64\Mjljbfog.dll Flqimk32.exe File created C:\Windows\SysWOW64\Ljodkeij.dll Lpqiemge.exe File created C:\Windows\SysWOW64\Acnlgp32.exe Aqppkd32.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bfhhoi32.exe File created C:\Windows\SysWOW64\Iqjikg32.dll Bclhhnca.exe File created C:\Windows\SysWOW64\Bdfibe32.exe Abemjmgg.exe File opened for modification C:\Windows\SysWOW64\Flqimk32.exe Fhemmlhc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10328 11084 WerFault.exe 521 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pllfhkno.dll" Bhdbhcck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll" Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjnop32.dll" Imakkfdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll" Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll" Beihma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfkqkek.dll" Aelcfilb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpjhl32.dll" Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqddl32.dll" Cddecc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbjoljdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll" Kebbafoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beeoaapl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohppck.dll" Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" Pmannhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chcddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll" Hoiafcic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll" Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojllan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll" Bjmnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgmjqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll" Hofdacke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll" Belebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glhonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Himldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll" Kdcbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgapeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcckif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icifbang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll" Liddbc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4548 wrote to memory of 932 4548 0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe 83 PID 4548 wrote to memory of 932 4548 0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe 83 PID 4548 wrote to memory of 932 4548 0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe 83 PID 932 wrote to memory of 4388 932 Qloebdig.exe 84 PID 932 wrote to memory of 4388 932 Qloebdig.exe 84 PID 932 wrote to memory of 4388 932 Qloebdig.exe 84 PID 4388 wrote to memory of 2364 4388 Qalnjkgo.exe 85 PID 4388 wrote to memory of 2364 4388 Qalnjkgo.exe 85 PID 4388 wrote to memory of 2364 4388 Qalnjkgo.exe 85 PID 2364 wrote to memory of 3000 2364 Aegikj32.exe 86 PID 2364 wrote to memory of 3000 2364 Aegikj32.exe 86 PID 2364 wrote to memory of 3000 2364 Aegikj32.exe 86 PID 3000 wrote to memory of 1836 3000 Alabgd32.exe 87 PID 3000 wrote to memory of 1836 3000 Alabgd32.exe 87 PID 3000 wrote to memory of 1836 3000 Alabgd32.exe 87 PID 1836 wrote to memory of 5116 1836 Abkjdnoa.exe 88 PID 1836 wrote to memory of 5116 1836 Abkjdnoa.exe 88 PID 1836 wrote to memory of 5116 1836 Abkjdnoa.exe 88 PID 5116 wrote to memory of 4888 5116 Acmflf32.exe 89 PID 5116 wrote to memory of 4888 5116 Acmflf32.exe 89 PID 5116 wrote to memory of 4888 5116 Acmflf32.exe 89 PID 4888 wrote to memory of 1912 4888 Aldomc32.exe 90 PID 4888 wrote to memory of 1912 4888 Aldomc32.exe 90 PID 4888 wrote to memory of 1912 4888 Aldomc32.exe 90 PID 1912 wrote to memory of 3460 1912 Abngjnmo.exe 91 PID 1912 wrote to memory of 3460 1912 Abngjnmo.exe 91 PID 1912 wrote to memory of 3460 1912 Abngjnmo.exe 91 PID 3460 wrote to memory of 3684 3460 Aelcfilb.exe 92 PID 3460 wrote to memory of 3684 3460 Aelcfilb.exe 92 PID 3460 wrote to memory of 3684 3460 Aelcfilb.exe 92 PID 3684 wrote to memory of 4216 3684 Alfkbc32.exe 93 PID 3684 wrote to memory of 4216 3684 Alfkbc32.exe 93 PID 3684 wrote to memory of 4216 3684 Alfkbc32.exe 93 PID 4216 wrote to memory of 4720 4216 Abpcon32.exe 94 PID 4216 wrote to memory of 4720 4216 Abpcon32.exe 94 PID 4216 wrote to memory of 4720 4216 Abpcon32.exe 94 PID 4720 wrote to memory of 3088 4720 Aacckjaf.exe 95 PID 4720 wrote to memory of 3088 4720 Aacckjaf.exe 95 PID 4720 wrote to memory of 3088 4720 Aacckjaf.exe 95 PID 3088 wrote to memory of 1008 3088 Ahmlgd32.exe 96 PID 3088 wrote to memory of 1008 3088 Ahmlgd32.exe 96 PID 3088 wrote to memory of 1008 3088 Ahmlgd32.exe 96 PID 1008 wrote to memory of 1012 1008 Abbpem32.exe 97 PID 1008 wrote to memory of 1012 1008 Abbpem32.exe 97 PID 1008 wrote to memory of 1012 1008 Abbpem32.exe 97 PID 1012 wrote to memory of 3668 1012 Aealah32.exe 98 PID 1012 wrote to memory of 3668 1012 Aealah32.exe 98 PID 1012 wrote to memory of 3668 1012 Aealah32.exe 98 PID 3668 wrote to memory of 2104 3668 Ahoimd32.exe 99 PID 3668 wrote to memory of 2104 3668 Ahoimd32.exe 99 PID 3668 wrote to memory of 2104 3668 Ahoimd32.exe 99 PID 2104 wrote to memory of 3244 2104 Ajneip32.exe 100 PID 2104 wrote to memory of 3244 2104 Ajneip32.exe 100 PID 2104 wrote to memory of 3244 2104 Ajneip32.exe 100 PID 3244 wrote to memory of 2604 3244 Abemjmgg.exe 102 PID 3244 wrote to memory of 2604 3244 Abemjmgg.exe 102 PID 3244 wrote to memory of 2604 3244 Abemjmgg.exe 102 PID 2604 wrote to memory of 1608 2604 Bdfibe32.exe 103 PID 2604 wrote to memory of 1608 2604 Bdfibe32.exe 103 PID 2604 wrote to memory of 1608 2604 Bdfibe32.exe 103 PID 1608 wrote to memory of 2736 1608 Bhaebcen.exe 104 PID 1608 wrote to memory of 2736 1608 Bhaebcen.exe 104 PID 1608 wrote to memory of 2736 1608 Bhaebcen.exe 104 PID 2736 wrote to memory of 2168 2736 Bnlnon32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b16dabb0b7f768ce31a5f26794264f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe25⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe27⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe31⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe32⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe33⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4212 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe36⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe39⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe40⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe43⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe44⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe46⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe47⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe48⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe50⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe52⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe54⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe55⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe59⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe60⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe62⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe64⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4848 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe67⤵PID:2560
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe68⤵PID:4500
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe69⤵PID:2820
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe70⤵PID:4708
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe71⤵PID:3608
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe72⤵PID:3196
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe73⤵PID:2112
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe74⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4116 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4732 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe78⤵PID:4620
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe79⤵
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe80⤵PID:916
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4144 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe83⤵PID:4552
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe84⤵PID:4728
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe85⤵
- Modifies registry class
PID:4192 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe86⤵
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe87⤵PID:4488
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe88⤵PID:3780
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe89⤵PID:64
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3636 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe91⤵PID:1140
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe92⤵PID:4356
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe93⤵PID:5100
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe94⤵PID:5128
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe95⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe96⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe97⤵PID:5260
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe100⤵PID:5388
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe101⤵PID:5428
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe102⤵PID:5468
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe103⤵PID:5504
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe104⤵PID:5556
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe105⤵PID:5596
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe106⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe107⤵PID:5688
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe108⤵PID:5736
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe109⤵PID:5780
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe111⤵PID:5876
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe112⤵PID:5916
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe113⤵PID:5960
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe114⤵PID:6008
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe115⤵PID:6072
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe116⤵PID:6128
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe117⤵PID:5156
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe118⤵PID:5208
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe119⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe120⤵PID:5340
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe121⤵PID:5424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-