Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe
-
Size
576KB
-
MD5
dab505c3bca96f9d6de161852af5e3d0
-
SHA1
7a592d58921e3d58eea93910b029742b11c7850b
-
SHA256
334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b
-
SHA512
640b5839fea1507fc8245f5f4b5f20baa9b9dedc168cd4b9605bb6c2d090ec04d0cbc3a49a65eb54924d908c79b4697713eb7bf8f7457b7791bcab7954e20a8f
-
SSDEEP
12288:yGcEBCGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:yNEBCGyXsGG1ws5ipX6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adoamfhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbndgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qajhigcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkjfloeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Conagl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cecbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkncno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oggjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmhdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgebif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmabpmjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bncllqhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iciflfcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkakm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgbej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baadbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fieacc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knioij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnfafpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malgmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oobfhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkbnkfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbddmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlmhfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafogggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpideje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqokhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflclcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgieipmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biogieke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aajoapdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimdbnip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbkfood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aalndaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gonnhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gekckpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmcpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleeafbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnblmnfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obdbqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmcfeke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nijeoikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpphcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqikfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghohdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Appaangd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afmhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikagpcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mebchf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbnchlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojhijjll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdndik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkndbkop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhidcffq.exe -
Executes dropped EXE 64 IoCs
pid Process 224 Khcgfo32.exe 4748 Nkjlqd32.exe 2516 Pnknim32.exe 4124 Abpmpkoh.exe 1252 Abbiej32.exe 2448 Aeeomegd.exe 3356 Bfpkbfdi.exe 4524 Chinkndp.exe 3588 Dhmgfm32.exe 2428 Dlnlak32.exe 4720 Eohhie32.exe 5024 Fiilblom.exe 2156 Gomkkagl.exe 3308 Glchjedc.exe 3112 Hlogfd32.exe 3396 Hhehkepj.exe 4452 Iqfcbahb.exe 456 Jmopmalc.exe 2488 Jgedjjki.exe 4472 Jopiom32.exe 4020 Kfeagefd.exe 1588 Ljhchc32.exe 4568 Lmneemaq.exe 2260 Midfjnge.exe 892 Migcpneb.exe 4824 Nfdfoala.exe 1388 Najjmjkg.exe 3864 Npadcfnl.exe 3380 Ndomiddc.exe 1996 Ogdofo32.exe 3236 Qhbhapha.exe 3768 Addhbo32.exe 3464 Bbkeacqo.exe 3468 Bjkcqdje.exe 2372 Bqdlmo32.exe 3280 Cqghcn32.exe 3456 Cnkilbni.exe 3096 Celgjlpn.exe 4364 Eoindndf.exe 2196 Gbcffk32.exe 1496 Gbjlgj32.exe 1124 Hhiaepfl.exe 1456 Hchihhng.exe 696 Iooimi32.exe 5064 Ikejbjip.exe 2292 Ifphkbep.exe 4992 Kcphpdil.exe 652 Kofheeoq.exe 3408 Kfbmgo32.exe 3348 Kicfijal.exe 824 Lcndab32.exe 3908 Lcpqgbkj.exe 1596 Lfqjhmhk.exe 1656 Lfcfnm32.exe 2432 Mjaodkmo.exe 3284 Mppdbb32.exe 620 Mflidl32.exe 4184 Mfofjk32.exe 440 Ncbfcp32.exe 1560 Nbhcdl32.exe 2152 Nmbamdkm.exe 4816 Omgjhc32.exe 2888 Oiphbd32.exe 3184 Olqqdo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ibdiln32.exe Hdpicj32.exe File created C:\Windows\SysWOW64\Aieeddaq.dll Bdmpljlj.exe File created C:\Windows\SysWOW64\Alcfpm32.exe Qkpmcddi.exe File created C:\Windows\SysWOW64\Ldjhib32.exe Leihlj32.exe File created C:\Windows\SysWOW64\Hgahnjpk.exe Gdaomobj.exe File created C:\Windows\SysWOW64\Clnopg32.exe Cdggoi32.exe File created C:\Windows\SysWOW64\Hiomppkc.exe Hoglmg32.exe File created C:\Windows\SysWOW64\Okaabg32.exe Olqqdo32.exe File created C:\Windows\SysWOW64\Cfmijkhj.exe Cleeafbi.exe File opened for modification C:\Windows\SysWOW64\Qdmkbmnl.exe Qlbfnk32.exe File created C:\Windows\SysWOW64\Bdmpljlj.exe Behbkmgb.exe File created C:\Windows\SysWOW64\Mkfela32.dll Dehkbkip.exe File created C:\Windows\SysWOW64\Noaoagca.exe Mhgfdmle.exe File created C:\Windows\SysWOW64\Oidopn32.exe Olqofjhn.exe File created C:\Windows\SysWOW64\Mijofaje.exe Mndjhhjp.exe File created C:\Windows\SysWOW64\Hflclcle.exe Hfiffd32.exe File opened for modification C:\Windows\SysWOW64\Lcndab32.exe Kicfijal.exe File created C:\Windows\SysWOW64\Afmfjgde.dll Feocoaai.exe File created C:\Windows\SysWOW64\Aclhkdmp.dll Olnkfd32.exe File opened for modification C:\Windows\SysWOW64\Ccmgbf32.exe Ckfpai32.exe File created C:\Windows\SysWOW64\Mihppm32.dll Fbhplnca.exe File created C:\Windows\SysWOW64\Maicmgoc.exe Mklkepal.exe File created C:\Windows\SysWOW64\Nkijbooo.exe Nqdeefpi.exe File created C:\Windows\SysWOW64\Bdkmeh32.dll Jeekeg32.exe File created C:\Windows\SysWOW64\Bcdlgnkk.exe Biogieke.exe File opened for modification C:\Windows\SysWOW64\Kcphpdil.exe Ifphkbep.exe File created C:\Windows\SysWOW64\Beaoimie.dll Aikbpckb.exe File created C:\Windows\SysWOW64\Oenljoji.exe Opqdbhlb.exe File created C:\Windows\SysWOW64\Fmehnn32.exe Embkhn32.exe File created C:\Windows\SysWOW64\Egikekfa.dll Falmabki.exe File created C:\Windows\SysWOW64\Piolpj32.dll Iooimi32.exe File opened for modification C:\Windows\SysWOW64\Jlcchn32.exe Jcknpi32.exe File created C:\Windows\SysWOW64\Icamkbbh.dll Fkhppgic.exe File opened for modification C:\Windows\SysWOW64\Nfdfoala.exe Migcpneb.exe File created C:\Windows\SysWOW64\Apncei32.dll Gdkgam32.exe File created C:\Windows\SysWOW64\Ogdofo32.exe Ndomiddc.exe File created C:\Windows\SysWOW64\Bamjca32.dll Cnjkgf32.exe File created C:\Windows\SysWOW64\Fapobl32.exe Ffjkdc32.exe File created C:\Windows\SysWOW64\Kgpodk32.exe Jhdlbp32.exe File created C:\Windows\SysWOW64\Gdlnkc32.exe Fooecl32.exe File opened for modification C:\Windows\SysWOW64\Eplgod32.exe Ebggep32.exe File created C:\Windows\SysWOW64\Kfeagefd.exe Jopiom32.exe File created C:\Windows\SysWOW64\Kdophj32.exe Kmegkp32.exe File opened for modification C:\Windows\SysWOW64\Bmqhlk32.exe Apmhbf32.exe File created C:\Windows\SysWOW64\Kfbmgo32.exe Kofheeoq.exe File created C:\Windows\SysWOW64\Ieebmf32.dll Eoneah32.exe File created C:\Windows\SysWOW64\Fmhcda32.exe Fligjnlo.exe File created C:\Windows\SysWOW64\Omeahnij.dll Afmhma32.exe File opened for modification C:\Windows\SysWOW64\Qgnief32.exe Qmhdhm32.exe File opened for modification C:\Windows\SysWOW64\Ihnkobpl.exe Inhgaipf.exe File created C:\Windows\SysWOW64\Nljopa32.exe Ndokko32.exe File created C:\Windows\SysWOW64\Ljobiofi.exe Lqfnqjpi.exe File opened for modification C:\Windows\SysWOW64\Clgbfe32.exe Cfmijkhj.exe File created C:\Windows\SysWOW64\Bbkeacqo.exe Addhbo32.exe File created C:\Windows\SysWOW64\Phlqlgmg.exe Phjdggoj.exe File created C:\Windows\SysWOW64\Cleeafbi.exe Cbpacmbc.exe File opened for modification C:\Windows\SysWOW64\Diicfa32.exe Dclknkfp.exe File opened for modification C:\Windows\SysWOW64\Ojfmdk32.exe Nnolojhk.exe File opened for modification C:\Windows\SysWOW64\Cecbgl32.exe Cknnjcmo.exe File opened for modification C:\Windows\SysWOW64\Fnoboc32.exe Fhbifl32.exe File opened for modification C:\Windows\SysWOW64\Dkndbkop.exe Dogdnj32.exe File created C:\Windows\SysWOW64\Mnedig32.dll Glchjedc.exe File created C:\Windows\SysWOW64\Hbdfmdbe.dll Poelfc32.exe File opened for modification C:\Windows\SysWOW64\Pjaefc32.exe Pnjeqbkb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8788 5316 WerFault.exe 823 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdeqckb.dll" Acheqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fldeie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhfcbfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pneelmjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgoalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlpeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aecnmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebapednb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcaohogk.dll" Fdbked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoonjjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfhbkgc.dll" Qmhdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kijjldkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbipa32.dll" Mlpeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndjec32.dll" Midfjnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejjld32.dll" Ghmkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjbhmni.dll" Amblpikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmloae32.dll" Pokjnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeqclfaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mejijcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oimdbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhcpmn32.dll" Loqjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegpaf32.dll" Fmehnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paapjc32.dll" Pknqhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnkbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnmobopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmhcda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfckjnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amblenpq.dll" Pjaefc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gohaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkdieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Milinkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhjgphd.dll" Omkmcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbandfpf.dll" Opdpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlpgiebo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nboggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjkipdpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfpgppoj.dll" Fbpcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqkihpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkmpjb32.dll" Dlnlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoebhpfd.dll" Noehlgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pchcdbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laiaqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgcjmjho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlcchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihccpqcl.dll" Bdndik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbhea32.dll" Ebiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmba32.dll" Phcogice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcdlgnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilfhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbafjmfi.dll" Opqdbhlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Addhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiejckcq.dll" Hadkib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalih32.dll" Cknnjcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlamak32.dll" Ngpcmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoogpcco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ompfnoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piolpj32.dll" Iooimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdfnmhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbbnbkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpgcg32.dll" Oqfdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kainifch.dll" Oenljoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmomm32.dll" Hfioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgahkj.dll" Eoagdi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 224 2772 334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe 91 PID 2772 wrote to memory of 224 2772 334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe 91 PID 2772 wrote to memory of 224 2772 334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe 91 PID 224 wrote to memory of 4748 224 Khcgfo32.exe 92 PID 224 wrote to memory of 4748 224 Khcgfo32.exe 92 PID 224 wrote to memory of 4748 224 Khcgfo32.exe 92 PID 4748 wrote to memory of 2516 4748 Nkjlqd32.exe 94 PID 4748 wrote to memory of 2516 4748 Nkjlqd32.exe 94 PID 4748 wrote to memory of 2516 4748 Nkjlqd32.exe 94 PID 2516 wrote to memory of 4124 2516 Pnknim32.exe 95 PID 2516 wrote to memory of 4124 2516 Pnknim32.exe 95 PID 2516 wrote to memory of 4124 2516 Pnknim32.exe 95 PID 4124 wrote to memory of 1252 4124 Abpmpkoh.exe 97 PID 4124 wrote to memory of 1252 4124 Abpmpkoh.exe 97 PID 4124 wrote to memory of 1252 4124 Abpmpkoh.exe 97 PID 1252 wrote to memory of 2448 1252 Abbiej32.exe 98 PID 1252 wrote to memory of 2448 1252 Abbiej32.exe 98 PID 1252 wrote to memory of 2448 1252 Abbiej32.exe 98 PID 2448 wrote to memory of 3356 2448 Aeeomegd.exe 99 PID 2448 wrote to memory of 3356 2448 Aeeomegd.exe 99 PID 2448 wrote to memory of 3356 2448 Aeeomegd.exe 99 PID 3356 wrote to memory of 4524 3356 Bfpkbfdi.exe 100 PID 3356 wrote to memory of 4524 3356 Bfpkbfdi.exe 100 PID 3356 wrote to memory of 4524 3356 Bfpkbfdi.exe 100 PID 4524 wrote to memory of 3588 4524 Chinkndp.exe 101 PID 4524 wrote to memory of 3588 4524 Chinkndp.exe 101 PID 4524 wrote to memory of 3588 4524 Chinkndp.exe 101 PID 3588 wrote to memory of 2428 3588 Dhmgfm32.exe 102 PID 3588 wrote to memory of 2428 3588 Dhmgfm32.exe 102 PID 3588 wrote to memory of 2428 3588 Dhmgfm32.exe 102 PID 2428 wrote to memory of 4720 2428 Dlnlak32.exe 103 PID 2428 wrote to memory of 4720 2428 Dlnlak32.exe 103 PID 2428 wrote to memory of 4720 2428 Dlnlak32.exe 103 PID 4720 wrote to memory of 5024 4720 Eohhie32.exe 104 PID 4720 wrote to memory of 5024 4720 Eohhie32.exe 104 PID 4720 wrote to memory of 5024 4720 Eohhie32.exe 104 PID 5024 wrote to memory of 2156 5024 Fiilblom.exe 105 PID 5024 wrote to memory of 2156 5024 Fiilblom.exe 105 PID 5024 wrote to memory of 2156 5024 Fiilblom.exe 105 PID 2156 wrote to memory of 3308 2156 Gomkkagl.exe 106 PID 2156 wrote to memory of 3308 2156 Gomkkagl.exe 106 PID 2156 wrote to memory of 3308 2156 Gomkkagl.exe 106 PID 3308 wrote to memory of 3112 3308 Glchjedc.exe 107 PID 3308 wrote to memory of 3112 3308 Glchjedc.exe 107 PID 3308 wrote to memory of 3112 3308 Glchjedc.exe 107 PID 3112 wrote to memory of 3396 3112 Hlogfd32.exe 108 PID 3112 wrote to memory of 3396 3112 Hlogfd32.exe 108 PID 3112 wrote to memory of 3396 3112 Hlogfd32.exe 108 PID 3396 wrote to memory of 4452 3396 Hhehkepj.exe 109 PID 3396 wrote to memory of 4452 3396 Hhehkepj.exe 109 PID 3396 wrote to memory of 4452 3396 Hhehkepj.exe 109 PID 4452 wrote to memory of 456 4452 Iqfcbahb.exe 110 PID 4452 wrote to memory of 456 4452 Iqfcbahb.exe 110 PID 4452 wrote to memory of 456 4452 Iqfcbahb.exe 110 PID 456 wrote to memory of 2488 456 Jmopmalc.exe 111 PID 456 wrote to memory of 2488 456 Jmopmalc.exe 111 PID 456 wrote to memory of 2488 456 Jmopmalc.exe 111 PID 2488 wrote to memory of 4472 2488 Jgedjjki.exe 112 PID 2488 wrote to memory of 4472 2488 Jgedjjki.exe 112 PID 2488 wrote to memory of 4472 2488 Jgedjjki.exe 112 PID 4472 wrote to memory of 4020 4472 Jopiom32.exe 113 PID 4472 wrote to memory of 4020 4472 Jopiom32.exe 113 PID 4472 wrote to memory of 4020 4472 Jopiom32.exe 113 PID 4020 wrote to memory of 1588 4020 Kfeagefd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\334248fabddab21f492487fa52c0c9ad4d265f4e73d7a14ba5e90826b719863b_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Gomkkagl.exeC:\Windows\system32\Gomkkagl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Hlogfd32.exeC:\Windows\system32\Hlogfd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Iqfcbahb.exeC:\Windows\system32\Iqfcbahb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Jmopmalc.exeC:\Windows\system32\Jmopmalc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Kfeagefd.exeC:\Windows\system32\Kfeagefd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Ljhchc32.exeC:\Windows\system32\Ljhchc32.exe23⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe24⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Midfjnge.exeC:\Windows\system32\Midfjnge.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Migcpneb.exeC:\Windows\system32\Migcpneb.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe27⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Najjmjkg.exeC:\Windows\system32\Najjmjkg.exe28⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Npadcfnl.exeC:\Windows\system32\Npadcfnl.exe29⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Ogdofo32.exeC:\Windows\system32\Ogdofo32.exe31⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe32⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe34⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe35⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Bqdlmo32.exeC:\Windows\system32\Bqdlmo32.exe36⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe37⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe38⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe39⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe40⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe41⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe42⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Hhiaepfl.exeC:\Windows\system32\Hhiaepfl.exe43⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Hchihhng.exeC:\Windows\system32\Hchihhng.exe44⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe46⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ifphkbep.exeC:\Windows\system32\Ifphkbep.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe48⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Kofheeoq.exeC:\Windows\system32\Kofheeoq.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Kfbmgo32.exeC:\Windows\system32\Kfbmgo32.exe50⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Lcndab32.exeC:\Windows\system32\Lcndab32.exe52⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Lcpqgbkj.exeC:\Windows\system32\Lcpqgbkj.exe53⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Lfqjhmhk.exeC:\Windows\system32\Lfqjhmhk.exe54⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Lfcfnm32.exeC:\Windows\system32\Lfcfnm32.exe55⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mjaodkmo.exeC:\Windows\system32\Mjaodkmo.exe56⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Mppdbb32.exeC:\Windows\system32\Mppdbb32.exe57⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe58⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe59⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe60⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe61⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe62⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Omgjhc32.exeC:\Windows\system32\Omgjhc32.exe63⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Oiphbd32.exeC:\Windows\system32\Oiphbd32.exe64⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe66⤵PID:4716
-
C:\Windows\SysWOW64\Pkdngf32.exeC:\Windows\system32\Pkdngf32.exe67⤵PID:4428
-
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe68⤵PID:1460
-
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe69⤵PID:924
-
C:\Windows\SysWOW64\Qkpmcddi.exeC:\Windows\system32\Qkpmcddi.exe70⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4000 -
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe72⤵PID:4736
-
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe73⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe74⤵PID:232
-
C:\Windows\SysWOW64\Bqokhi32.exeC:\Windows\system32\Bqokhi32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe76⤵PID:1756
-
C:\Windows\SysWOW64\Enoddi32.exeC:\Windows\system32\Enoddi32.exe77⤵PID:3288
-
C:\Windows\SysWOW64\Eclmlpfl.exeC:\Windows\system32\Eclmlpfl.exe78⤵PID:1172
-
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe79⤵PID:2312
-
C:\Windows\SysWOW64\Emgnje32.exeC:\Windows\system32\Emgnje32.exe80⤵PID:2204
-
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe81⤵PID:5100
-
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe82⤵PID:1600
-
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe83⤵PID:2596
-
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe84⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Fhhaclqc.exeC:\Windows\system32\Fhhaclqc.exe85⤵PID:5148
-
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe86⤵PID:5188
-
C:\Windows\SysWOW64\Ghmkol32.exeC:\Windows\system32\Ghmkol32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Ghohdk32.exeC:\Windows\system32\Ghohdk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5272 -
C:\Windows\SysWOW64\Gkbnkfei.exeC:\Windows\system32\Gkbnkfei.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Hdmojkjg.exeC:\Windows\system32\Hdmojkjg.exe90⤵PID:5360
-
C:\Windows\SysWOW64\Hdokok32.exeC:\Windows\system32\Hdokok32.exe91⤵PID:5400
-
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe92⤵PID:5448
-
C:\Windows\SysWOW64\Ioeicajh.exeC:\Windows\system32\Ioeicajh.exe93⤵PID:5500
-
C:\Windows\SysWOW64\Jhbfgflc.exeC:\Windows\system32\Jhbfgflc.exe94⤵PID:5548
-
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe95⤵PID:5588
-
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe96⤵PID:5628
-
C:\Windows\SysWOW64\Kadnfkji.exeC:\Windows\system32\Kadnfkji.exe97⤵PID:5668
-
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe98⤵PID:5716
-
C:\Windows\SysWOW64\Lmeapbpa.exeC:\Windows\system32\Lmeapbpa.exe99⤵PID:5760
-
C:\Windows\SysWOW64\Lbbjhini.exeC:\Windows\system32\Lbbjhini.exe100⤵PID:5800
-
C:\Windows\SysWOW64\Mejijcea.exeC:\Windows\system32\Mejijcea.exe101⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Mnbnchlb.exeC:\Windows\system32\Mnbnchlb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe103⤵PID:5932
-
C:\Windows\SysWOW64\Mndjhhjp.exeC:\Windows\system32\Mndjhhjp.exe104⤵
- Drops file in System32 directory
PID:5972 -
C:\Windows\SysWOW64\Mijofaje.exeC:\Windows\system32\Mijofaje.exe105⤵PID:6012
-
C:\Windows\SysWOW64\Nilkkq32.exeC:\Windows\system32\Nilkkq32.exe106⤵PID:6060
-
C:\Windows\SysWOW64\Neclpamg.exeC:\Windows\system32\Neclpamg.exe107⤵PID:5132
-
C:\Windows\SysWOW64\Nblfee32.exeC:\Windows\system32\Nblfee32.exe108⤵PID:5216
-
C:\Windows\SysWOW64\Oemofpel.exeC:\Windows\system32\Oemofpel.exe109⤵PID:5256
-
C:\Windows\SysWOW64\Opdpih32.exeC:\Windows\system32\Opdpih32.exe110⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Opiidhoj.exeC:\Windows\system32\Opiidhoj.exe112⤵PID:5484
-
C:\Windows\SysWOW64\Pldcdhpi.exeC:\Windows\system32\Pldcdhpi.exe113⤵PID:5612
-
C:\Windows\SysWOW64\Poelfc32.exeC:\Windows\system32\Poelfc32.exe114⤵
- Drops file in System32 directory
PID:5700 -
C:\Windows\SysWOW64\Peodcmeg.exeC:\Windows\system32\Peodcmeg.exe115⤵PID:5788
-
C:\Windows\SysWOW64\Qbhnga32.exeC:\Windows\system32\Qbhnga32.exe116⤵PID:5880
-
C:\Windows\SysWOW64\Aidcjk32.exeC:\Windows\system32\Aidcjk32.exe117⤵PID:5960
-
C:\Windows\SysWOW64\Amblpikl.exeC:\Windows\system32\Amblpikl.exe118⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Bmlofhca.exeC:\Windows\system32\Bmlofhca.exe119⤵PID:5220
-
C:\Windows\SysWOW64\Blchmdff.exeC:\Windows\system32\Blchmdff.exe120⤵PID:5328
-
C:\Windows\SysWOW64\Bjgifhep.exeC:\Windows\system32\Bjgifhep.exe121⤵PID:5488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-