Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe
-
Size
96KB
-
MD5
438201ebbb94256a3be566e18dec4a10
-
SHA1
cb435163632db4c3c494185cee05eb0c91e1aba2
-
SHA256
018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973
-
SHA512
cab674b7c2e71a8d85d5e2fbf6cba1fc719c80743850127387d483da5d75dc0b73797096d86834cac1c01e885e62ccf400c101305dd6cc489555daf02ace8c43
-
SSDEEP
1536:faK6UddXXuH9eQZfYhfxCKP6y4O7zCRrmYduV9jojTIvjrH:f16UddXXW9HAhfxZPqRKYd69jc0vf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blmdlhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlgiqbk.exe -
Executes dropped EXE 64 IoCs
pid Process 2228 Pminkk32.exe 2188 Pfbccp32.exe 2624 Pipopl32.exe 2672 Ppjglfon.exe 2764 Pjpkjond.exe 2692 Plahag32.exe 2552 Pchpbded.exe 2468 Peiljl32.exe 1772 Pmqdkj32.exe 308 Pnbacbac.exe 1532 Pelipl32.exe 2748 Plfamfpm.exe 1720 Pndniaop.exe 2280 Penfelgm.exe 860 Qlhnbf32.exe 320 Qnfjna32.exe 1512 Qeqbkkej.exe 1528 Qljkhe32.exe 2452 Qjmkcbcb.exe 1132 Qagcpljo.exe 1936 Adeplhib.exe 1300 Ajphib32.exe 1876 Aplpai32.exe 972 Affhncfc.exe 2056 Ajbdna32.exe 2244 Aiedjneg.exe 3016 Apomfh32.exe 2100 Ajdadamj.exe 2888 Apajlhka.exe 2548 Admemg32.exe 2724 Afkbib32.exe 2956 Amejeljk.exe 2416 Alhjai32.exe 2328 Abbbnchb.exe 808 Afmonbqk.exe 2192 Aljgfioc.exe 2756 Bbdocc32.exe 1688 Bebkpn32.exe 2088 Bhahlj32.exe 2264 Blmdlhmp.exe 1928 Beehencq.exe 556 Beehencq.exe 1656 Bommnc32.exe 2096 Balijo32.exe 1084 Bdjefj32.exe 1780 Bhfagipa.exe 896 Bghabf32.exe 2880 Bkdmcdoe.exe 1308 Bopicc32.exe 2348 Bnbjopoi.exe 1544 Bpafkknm.exe 2668 Bhhnli32.exe 2812 Bkfjhd32.exe 2632 Bjijdadm.exe 2516 Bdooajdc.exe 2988 Bcaomf32.exe 2024 Cjlgiqbk.exe 1456 Cngcjo32.exe 2580 Cpeofk32.exe 2868 Cdakgibq.exe 1696 Ccdlbf32.exe 2104 Cfbhnaho.exe 1144 Cllpkl32.exe 1204 Cphlljge.exe -
Loads dropped DLL 64 IoCs
pid Process 2440 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe 2440 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe 2228 Pminkk32.exe 2228 Pminkk32.exe 2188 Pfbccp32.exe 2188 Pfbccp32.exe 2624 Pipopl32.exe 2624 Pipopl32.exe 2672 Ppjglfon.exe 2672 Ppjglfon.exe 2764 Pjpkjond.exe 2764 Pjpkjond.exe 2692 Plahag32.exe 2692 Plahag32.exe 2552 Pchpbded.exe 2552 Pchpbded.exe 2468 Peiljl32.exe 2468 Peiljl32.exe 1772 Pmqdkj32.exe 1772 Pmqdkj32.exe 308 Pnbacbac.exe 308 Pnbacbac.exe 1532 Pelipl32.exe 1532 Pelipl32.exe 2748 Plfamfpm.exe 2748 Plfamfpm.exe 1720 Pndniaop.exe 1720 Pndniaop.exe 2280 Penfelgm.exe 2280 Penfelgm.exe 860 Qlhnbf32.exe 860 Qlhnbf32.exe 320 Qnfjna32.exe 320 Qnfjna32.exe 1512 Qeqbkkej.exe 1512 Qeqbkkej.exe 1528 Qljkhe32.exe 1528 Qljkhe32.exe 2452 Qjmkcbcb.exe 2452 Qjmkcbcb.exe 1132 Qagcpljo.exe 1132 Qagcpljo.exe 1936 Adeplhib.exe 1936 Adeplhib.exe 1300 Ajphib32.exe 1300 Ajphib32.exe 1876 Aplpai32.exe 1876 Aplpai32.exe 972 Affhncfc.exe 972 Affhncfc.exe 2056 Ajbdna32.exe 2056 Ajbdna32.exe 2244 Aiedjneg.exe 2244 Aiedjneg.exe 3016 Apomfh32.exe 3016 Apomfh32.exe 2100 Ajdadamj.exe 2100 Ajdadamj.exe 2888 Apajlhka.exe 2888 Apajlhka.exe 2548 Admemg32.exe 2548 Admemg32.exe 2724 Afkbib32.exe 2724 Afkbib32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bcaomf32.exe Bdooajdc.exe File created C:\Windows\SysWOW64\Anapbp32.dll Dbehoa32.exe File opened for modification C:\Windows\SysWOW64\Pipopl32.exe Pfbccp32.exe File created C:\Windows\SysWOW64\Qagcpljo.exe Qjmkcbcb.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bkfjhd32.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dngoibmo.exe File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe Fddmgjpo.exe File created C:\Windows\SysWOW64\Pelipl32.exe Pnbacbac.exe File opened for modification C:\Windows\SysWOW64\Apajlhka.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Clomqk32.exe Chcqpmep.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qjmkcbcb.exe File opened for modification C:\Windows\SysWOW64\Bghabf32.exe Bhfagipa.exe File opened for modification C:\Windows\SysWOW64\Dngoibmo.exe Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Facdeo32.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Ihomanac.dll Balijo32.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Elmigj32.exe File opened for modification C:\Windows\SysWOW64\Hmhfjo32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Hknach32.exe Ghoegl32.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Pelipl32.exe Pnbacbac.exe File created C:\Windows\SysWOW64\Kddjlc32.dll Cphlljge.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Mdhbbiki.dll Admemg32.exe File created C:\Windows\SysWOW64\Amejeljk.exe Afkbib32.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Cfinoq32.exe Copfbfjj.exe File opened for modification C:\Windows\SysWOW64\Epfhbign.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Eloemi32.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bbdocc32.exe File created C:\Windows\SysWOW64\Dmljjm32.dll Cgbdhd32.exe File created C:\Windows\SysWOW64\Copfbfjj.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Hacmcfge.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Cakqnc32.dll Fioija32.exe File created C:\Windows\SysWOW64\Fpmkde32.dll Ghhofmql.exe File created C:\Windows\SysWOW64\Ikeogmlj.dll Bghabf32.exe File created C:\Windows\SysWOW64\Mbiiek32.dll Cfinoq32.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Dhjgal32.exe File created C:\Windows\SysWOW64\Dchfknpg.dll Flabbihl.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Pminkk32.exe 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Pjpkjond.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Pmqdkj32.exe Peiljl32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Gkgkbipp.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Bhhnli32.exe Bpafkknm.exe File created C:\Windows\SysWOW64\Facdeo32.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Ebinic32.exe Eloemi32.exe File created C:\Windows\SysWOW64\Fbeccf32.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Iiciogbn.dll Cpeofk32.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Dnneja32.exe File created C:\Windows\SysWOW64\Ndkakief.dll Ebbgid32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3236 3196 WerFault.exe 236 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbenjka.dll" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnbacbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfammbdf.dll" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higdqfol.dll" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndaof32.dll" Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cfeddafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkmdfq.dll" Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Djnpnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklefg32.dll" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ebinic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2228 2440 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2228 2440 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2228 2440 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2228 2440 018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2188 2228 Pminkk32.exe 29 PID 2228 wrote to memory of 2188 2228 Pminkk32.exe 29 PID 2228 wrote to memory of 2188 2228 Pminkk32.exe 29 PID 2228 wrote to memory of 2188 2228 Pminkk32.exe 29 PID 2188 wrote to memory of 2624 2188 Pfbccp32.exe 30 PID 2188 wrote to memory of 2624 2188 Pfbccp32.exe 30 PID 2188 wrote to memory of 2624 2188 Pfbccp32.exe 30 PID 2188 wrote to memory of 2624 2188 Pfbccp32.exe 30 PID 2624 wrote to memory of 2672 2624 Pipopl32.exe 31 PID 2624 wrote to memory of 2672 2624 Pipopl32.exe 31 PID 2624 wrote to memory of 2672 2624 Pipopl32.exe 31 PID 2624 wrote to memory of 2672 2624 Pipopl32.exe 31 PID 2672 wrote to memory of 2764 2672 Ppjglfon.exe 32 PID 2672 wrote to memory of 2764 2672 Ppjglfon.exe 32 PID 2672 wrote to memory of 2764 2672 Ppjglfon.exe 32 PID 2672 wrote to memory of 2764 2672 Ppjglfon.exe 32 PID 2764 wrote to memory of 2692 2764 Pjpkjond.exe 33 PID 2764 wrote to memory of 2692 2764 Pjpkjond.exe 33 PID 2764 wrote to memory of 2692 2764 Pjpkjond.exe 33 PID 2764 wrote to memory of 2692 2764 Pjpkjond.exe 33 PID 2692 wrote to memory of 2552 2692 Plahag32.exe 34 PID 2692 wrote to memory of 2552 2692 Plahag32.exe 34 PID 2692 wrote to memory of 2552 2692 Plahag32.exe 34 PID 2692 wrote to memory of 2552 2692 Plahag32.exe 34 PID 2552 wrote to memory of 2468 2552 Pchpbded.exe 35 PID 2552 wrote to memory of 2468 2552 Pchpbded.exe 35 PID 2552 wrote to memory of 2468 2552 Pchpbded.exe 35 PID 2552 wrote to memory of 2468 2552 Pchpbded.exe 35 PID 2468 wrote to memory of 1772 2468 Peiljl32.exe 36 PID 2468 wrote to memory of 1772 2468 Peiljl32.exe 36 PID 2468 wrote to memory of 1772 2468 Peiljl32.exe 36 PID 2468 wrote to memory of 1772 2468 Peiljl32.exe 36 PID 1772 wrote to memory of 308 1772 Pmqdkj32.exe 37 PID 1772 wrote to memory of 308 1772 Pmqdkj32.exe 37 PID 1772 wrote to memory of 308 1772 Pmqdkj32.exe 37 PID 1772 wrote to memory of 308 1772 Pmqdkj32.exe 37 PID 308 wrote to memory of 1532 308 Pnbacbac.exe 38 PID 308 wrote to memory of 1532 308 Pnbacbac.exe 38 PID 308 wrote to memory of 1532 308 Pnbacbac.exe 38 PID 308 wrote to memory of 1532 308 Pnbacbac.exe 38 PID 1532 wrote to memory of 2748 1532 Pelipl32.exe 39 PID 1532 wrote to memory of 2748 1532 Pelipl32.exe 39 PID 1532 wrote to memory of 2748 1532 Pelipl32.exe 39 PID 1532 wrote to memory of 2748 1532 Pelipl32.exe 39 PID 2748 wrote to memory of 1720 2748 Plfamfpm.exe 40 PID 2748 wrote to memory of 1720 2748 Plfamfpm.exe 40 PID 2748 wrote to memory of 1720 2748 Plfamfpm.exe 40 PID 2748 wrote to memory of 1720 2748 Plfamfpm.exe 40 PID 1720 wrote to memory of 2280 1720 Pndniaop.exe 41 PID 1720 wrote to memory of 2280 1720 Pndniaop.exe 41 PID 1720 wrote to memory of 2280 1720 Pndniaop.exe 41 PID 1720 wrote to memory of 2280 1720 Pndniaop.exe 41 PID 2280 wrote to memory of 860 2280 Penfelgm.exe 42 PID 2280 wrote to memory of 860 2280 Penfelgm.exe 42 PID 2280 wrote to memory of 860 2280 Penfelgm.exe 42 PID 2280 wrote to memory of 860 2280 Penfelgm.exe 42 PID 860 wrote to memory of 320 860 Qlhnbf32.exe 43 PID 860 wrote to memory of 320 860 Qlhnbf32.exe 43 PID 860 wrote to memory of 320 860 Qlhnbf32.exe 43 PID 860 wrote to memory of 320 860 Qlhnbf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe34⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe42⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe43⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe44⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe46⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe50⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe51⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe53⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe57⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe61⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe67⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe68⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe70⤵PID:2476
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe71⤵PID:2408
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe72⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe73⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe74⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe75⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe76⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe78⤵PID:772
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe79⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe80⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe81⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe82⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe83⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe84⤵PID:996
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe86⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe88⤵PID:2592
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe89⤵PID:2008
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe91⤵PID:1832
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe92⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe94⤵PID:644
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe95⤵PID:1736
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe96⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe99⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe100⤵PID:2652
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe101⤵PID:2640
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe102⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe106⤵PID:2500
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe111⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe112⤵PID:2896
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe113⤵PID:2684
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe115⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe116⤵PID:1048
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe118⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe119⤵PID:2320
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-