Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
5fdae4131178537f9f3dc0c8bba37b70
-
SHA1
9d421361dfef355f54421399bd30eed1302c6cfe
-
SHA256
4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd
-
SHA512
cd162255fcd02bf593a21acacf97bda282b1c7b454ff294f11fdd2c75b87f797e26d4087ef36dd3eaa7af002b59916503ed94e9457a0396716352b81d124134b
-
SSDEEP
12288:7T7vjDVqvQ6IvYvc6IveDVqvQ6IvYPVSEv66IveDVqvQ6IvYvc6IveDV:7D5h3q5hrq5h3q5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfijjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikojfgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmffhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnffgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfghif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhgk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1664 Flgbho32.exe 1704 Fliomnfp.exe 2576 Fdgqgqah.exe 2588 Gamnfd32.exe 2608 Gliklahk.exe 2616 Hedmkgmi.exe 2520 Hfifff32.exe 1916 Hjkkojlc.exe 1528 Hbbcpg32.exe 2508 Ijaapifk.exe 2932 Jilhldfn.exe 1640 Jbfijjkl.exe 2296 Jpqclb32.exe 1712 Kmgpkfab.exe 2132 Kphimanc.exe 1452 Kfaajlfp.exe 1816 Loapim32.exe 452 Ldnhad32.exe 3032 Lfmdnp32.exe 1488 Ldenbcge.exe 1620 Loooca32.exe 884 Meigpkka.exe 2376 Mcmhiojk.exe 2028 Mekdekin.exe 2868 Mabejlob.exe 880 Mdqafgnf.exe 1600 Mgajhbkg.exe 936 Mohbip32.exe 2840 Nnnojlpa.exe 2252 Naikkk32.exe 2640 Ndgggf32.exe 2848 Ncmdhb32.exe 2612 Ncoamb32.exe 2500 Ngkmnacm.exe 1900 Njkfpl32.exe 1944 Nccjhafn.exe 1908 Ofbfdmeb.exe 2760 Onmkio32.exe 2796 Oomhcbjp.exe 1652 Odjpkihg.exe 2920 Oghlgdgk.exe 1880 Oelmai32.exe 1444 Oqcnfjli.exe 840 Ocajbekl.exe 2248 Pphjgfqq.exe 576 Pccfge32.exe 2124 Pjmodopf.exe 1160 Ppjglfon.exe 1092 Pmnhfjmg.exe 2220 Pchpbded.exe 2380 Pfflopdh.exe 1628 Piehkkcl.exe 1604 Phjelg32.exe 2980 Pndniaop.exe 2592 Pbpjiphi.exe 2600 Qlhnbf32.exe 2472 Qbbfopeg.exe 804 Qljkhe32.exe 2464 Ahakmf32.exe 2948 Ankdiqih.exe 2488 Amndem32.exe 1272 Affhncfc.exe 2828 Aiedjneg.exe 380 Aalmklfi.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe 2412 4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe 1664 Flgbho32.exe 1664 Flgbho32.exe 1704 Fliomnfp.exe 1704 Fliomnfp.exe 2576 Fdgqgqah.exe 2576 Fdgqgqah.exe 2588 Gamnfd32.exe 2588 Gamnfd32.exe 2608 Gliklahk.exe 2608 Gliklahk.exe 2616 Hedmkgmi.exe 2616 Hedmkgmi.exe 2520 Hfifff32.exe 2520 Hfifff32.exe 1916 Hjkkojlc.exe 1916 Hjkkojlc.exe 1528 Hbbcpg32.exe 1528 Hbbcpg32.exe 2508 Ijaapifk.exe 2508 Ijaapifk.exe 2932 Jilhldfn.exe 2932 Jilhldfn.exe 1640 Jbfijjkl.exe 1640 Jbfijjkl.exe 2296 Jpqclb32.exe 2296 Jpqclb32.exe 1712 Kmgpkfab.exe 1712 Kmgpkfab.exe 2132 Kphimanc.exe 2132 Kphimanc.exe 1452 Kfaajlfp.exe 1452 Kfaajlfp.exe 1816 Loapim32.exe 1816 Loapim32.exe 452 Ldnhad32.exe 452 Ldnhad32.exe 3032 Lfmdnp32.exe 3032 Lfmdnp32.exe 1488 Ldenbcge.exe 1488 Ldenbcge.exe 1620 Loooca32.exe 1620 Loooca32.exe 884 Meigpkka.exe 884 Meigpkka.exe 2376 Mcmhiojk.exe 2376 Mcmhiojk.exe 2028 Mekdekin.exe 2028 Mekdekin.exe 2868 Mabejlob.exe 2868 Mabejlob.exe 880 Mdqafgnf.exe 880 Mdqafgnf.exe 1600 Mgajhbkg.exe 1600 Mgajhbkg.exe 936 Mohbip32.exe 936 Mohbip32.exe 2840 Nnnojlpa.exe 2840 Nnnojlpa.exe 2252 Naikkk32.exe 2252 Naikkk32.exe 2640 Ndgggf32.exe 2640 Ndgggf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kjpfgi32.dll Globlmmj.exe File created C:\Windows\SysWOW64\Lollckbk.exe Lkppbl32.exe File created C:\Windows\SysWOW64\Maiooo32.dll Fagjnn32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Enkece32.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nncahjgl.exe File created C:\Windows\SysWOW64\Eddpkh32.dll Bekkcljk.exe File created C:\Windows\SysWOW64\Nmmhnm32.dll Hdildlie.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Lgmcqkkh.exe File created C:\Windows\SysWOW64\Khklki32.dll Mdqafgnf.exe File created C:\Windows\SysWOW64\Ekchhcnp.dll Pphjgfqq.exe File created C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Cppkph32.exe File created C:\Windows\SysWOW64\Blopagpd.dll Djklnnaj.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Npdjje32.exe Nocnbmoo.exe File created C:\Windows\SysWOW64\Obknqjig.dll Fllnlg32.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jjdmmdnh.exe File opened for modification C:\Windows\SysWOW64\Nccjhafn.exe Njkfpl32.exe File opened for modification C:\Windows\SysWOW64\Alenki32.exe Aalmklfi.exe File created C:\Windows\SysWOW64\Fnpnndgp.exe Fckjalhj.exe File created C:\Windows\SysWOW64\Nglknl32.dll Qpecfc32.exe File created C:\Windows\SysWOW64\Bblogakg.exe Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gdamqndn.exe File created C:\Windows\SysWOW64\Jdekadnf.dll Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Mamddf32.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Dmkmmi32.dll Eibbcm32.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jqilooij.exe File created C:\Windows\SysWOW64\Cpdcnhnl.dll Jdehon32.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Bjdmohgl.dll Lmebnb32.exe File created C:\Windows\SysWOW64\Pndniaop.exe Phjelg32.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Jmhmpb32.exe File created C:\Windows\SysWOW64\Qpecfc32.exe Pgioaa32.exe File created C:\Windows\SysWOW64\Jofbag32.exe Jhljdm32.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Cngcjo32.exe File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Enkece32.exe Egamfkdh.exe File created C:\Windows\SysWOW64\Cadhnmnm.exe Blgpef32.exe File created C:\Windows\SysWOW64\Eaklqfem.dll Dfamcogo.exe File opened for modification C:\Windows\SysWOW64\Hbbcpg32.exe Hjkkojlc.exe File opened for modification C:\Windows\SysWOW64\Inqcif32.exe Iajcde32.exe File created C:\Windows\SysWOW64\Odobjg32.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Lfmnmlid.dll Cnkicn32.exe File created C:\Windows\SysWOW64\Inkccpgk.exe Igakgfpn.exe File created C:\Windows\SysWOW64\Jnffgd32.exe Ikhjki32.exe File created C:\Windows\SysWOW64\Mdqafgnf.exe Mabejlob.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Ahakmf32.exe File opened for modification C:\Windows\SysWOW64\Affhncfc.exe Amndem32.exe File created C:\Windows\SysWOW64\Ncdbcl32.dll Aoepcn32.exe File created C:\Windows\SysWOW64\Oehfcmhd.dll Cnaocmmi.exe File created C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Qlhnbf32.exe Pbpjiphi.exe File created C:\Windows\SysWOW64\Mhkdik32.dll Cldooj32.exe File created C:\Windows\SysWOW64\Dookgcij.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Olhfdohg.dll Fjaonpnn.exe File created C:\Windows\SysWOW64\Fpcqjacl.dll Kqqboncb.exe File created C:\Windows\SysWOW64\Aepojo32.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Enihne32.exe Ebbgid32.exe File created C:\Windows\SysWOW64\Milokblc.dll Pgeefbhm.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File created C:\Windows\SysWOW64\Lpgimglf.dll Iefhhbef.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgiqbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakbapml.dll" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Namqci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll" Ngdifkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lliflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iheddndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbfblll.dll" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pledghce.dll" Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioaifhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdmmdnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kphimanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copfbfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamimc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll" Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldenbcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepojo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndaof32.dll" Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmlecec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqmmidel.dll" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pccfge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifiacd32.dll" Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfnmo32.dll" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnelabi.dll" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Nhaikn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glaenq32.dll" Hedmkgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimjmbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcinege.dll" Hdlhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgpkfab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1664 2412 4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 1664 2412 4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 1664 2412 4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 1664 2412 4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe 28 PID 1664 wrote to memory of 1704 1664 Flgbho32.exe 29 PID 1664 wrote to memory of 1704 1664 Flgbho32.exe 29 PID 1664 wrote to memory of 1704 1664 Flgbho32.exe 29 PID 1664 wrote to memory of 1704 1664 Flgbho32.exe 29 PID 1704 wrote to memory of 2576 1704 Fliomnfp.exe 30 PID 1704 wrote to memory of 2576 1704 Fliomnfp.exe 30 PID 1704 wrote to memory of 2576 1704 Fliomnfp.exe 30 PID 1704 wrote to memory of 2576 1704 Fliomnfp.exe 30 PID 2576 wrote to memory of 2588 2576 Fdgqgqah.exe 31 PID 2576 wrote to memory of 2588 2576 Fdgqgqah.exe 31 PID 2576 wrote to memory of 2588 2576 Fdgqgqah.exe 31 PID 2576 wrote to memory of 2588 2576 Fdgqgqah.exe 31 PID 2588 wrote to memory of 2608 2588 Gamnfd32.exe 32 PID 2588 wrote to memory of 2608 2588 Gamnfd32.exe 32 PID 2588 wrote to memory of 2608 2588 Gamnfd32.exe 32 PID 2588 wrote to memory of 2608 2588 Gamnfd32.exe 32 PID 2608 wrote to memory of 2616 2608 Gliklahk.exe 33 PID 2608 wrote to memory of 2616 2608 Gliklahk.exe 33 PID 2608 wrote to memory of 2616 2608 Gliklahk.exe 33 PID 2608 wrote to memory of 2616 2608 Gliklahk.exe 33 PID 2616 wrote to memory of 2520 2616 Hedmkgmi.exe 34 PID 2616 wrote to memory of 2520 2616 Hedmkgmi.exe 34 PID 2616 wrote to memory of 2520 2616 Hedmkgmi.exe 34 PID 2616 wrote to memory of 2520 2616 Hedmkgmi.exe 34 PID 2520 wrote to memory of 1916 2520 Hfifff32.exe 35 PID 2520 wrote to memory of 1916 2520 Hfifff32.exe 35 PID 2520 wrote to memory of 1916 2520 Hfifff32.exe 35 PID 2520 wrote to memory of 1916 2520 Hfifff32.exe 35 PID 1916 wrote to memory of 1528 1916 Hjkkojlc.exe 36 PID 1916 wrote to memory of 1528 1916 Hjkkojlc.exe 36 PID 1916 wrote to memory of 1528 1916 Hjkkojlc.exe 36 PID 1916 wrote to memory of 1528 1916 Hjkkojlc.exe 36 PID 1528 wrote to memory of 2508 1528 Hbbcpg32.exe 37 PID 1528 wrote to memory of 2508 1528 Hbbcpg32.exe 37 PID 1528 wrote to memory of 2508 1528 Hbbcpg32.exe 37 PID 1528 wrote to memory of 2508 1528 Hbbcpg32.exe 37 PID 2508 wrote to memory of 2932 2508 Ijaapifk.exe 38 PID 2508 wrote to memory of 2932 2508 Ijaapifk.exe 38 PID 2508 wrote to memory of 2932 2508 Ijaapifk.exe 38 PID 2508 wrote to memory of 2932 2508 Ijaapifk.exe 38 PID 2932 wrote to memory of 1640 2932 Jilhldfn.exe 39 PID 2932 wrote to memory of 1640 2932 Jilhldfn.exe 39 PID 2932 wrote to memory of 1640 2932 Jilhldfn.exe 39 PID 2932 wrote to memory of 1640 2932 Jilhldfn.exe 39 PID 1640 wrote to memory of 2296 1640 Jbfijjkl.exe 40 PID 1640 wrote to memory of 2296 1640 Jbfijjkl.exe 40 PID 1640 wrote to memory of 2296 1640 Jbfijjkl.exe 40 PID 1640 wrote to memory of 2296 1640 Jbfijjkl.exe 40 PID 2296 wrote to memory of 1712 2296 Jpqclb32.exe 41 PID 2296 wrote to memory of 1712 2296 Jpqclb32.exe 41 PID 2296 wrote to memory of 1712 2296 Jpqclb32.exe 41 PID 2296 wrote to memory of 1712 2296 Jpqclb32.exe 41 PID 1712 wrote to memory of 2132 1712 Kmgpkfab.exe 42 PID 1712 wrote to memory of 2132 1712 Kmgpkfab.exe 42 PID 1712 wrote to memory of 2132 1712 Kmgpkfab.exe 42 PID 1712 wrote to memory of 2132 1712 Kmgpkfab.exe 42 PID 2132 wrote to memory of 1452 2132 Kphimanc.exe 43 PID 2132 wrote to memory of 1452 2132 Kphimanc.exe 43 PID 2132 wrote to memory of 1452 2132 Kphimanc.exe 43 PID 2132 wrote to memory of 1452 2132 Kphimanc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Fliomnfp.exeC:\Windows\system32\Fliomnfp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Fdgqgqah.exeC:\Windows\system32\Fdgqgqah.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Gamnfd32.exeC:\Windows\system32\Gamnfd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe35⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe37⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe38⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe39⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe43⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe44⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe45⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe48⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe49⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe51⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe52⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe53⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe55⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe57⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe58⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe59⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe61⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe64⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe66⤵PID:1108
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe67⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe68⤵PID:1760
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe69⤵
- Drops file in System32 directory
PID:412 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe71⤵PID:2268
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe72⤵PID:1612
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe73⤵PID:764
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe74⤵PID:2844
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe75⤵PID:2972
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe76⤵PID:2636
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe77⤵PID:2668
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe78⤵PID:2684
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe79⤵PID:2940
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe80⤵PID:2144
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe81⤵PID:2536
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe82⤵PID:2804
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe83⤵
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe84⤵
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe85⤵PID:2084
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe86⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe87⤵
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe88⤵PID:1532
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe89⤵PID:2312
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe91⤵PID:2896
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe92⤵PID:2976
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe94⤵PID:2036
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe95⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe96⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe97⤵PID:2820
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe98⤵PID:1832
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe99⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe100⤵
- Modifies registry class
PID:656 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe101⤵PID:940
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1232 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:740 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe105⤵PID:2200
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe106⤵PID:1956
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe109⤵PID:1996
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe110⤵PID:3068
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe111⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe113⤵PID:1720
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe114⤵PID:1868
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe115⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe116⤵PID:2032
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe117⤵PID:1208
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe119⤵PID:2528
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe120⤵PID:2916
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe121⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-