Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 01:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe
-
Size
90KB
-
MD5
eadc60af843e15bb2c8931771188ae90
-
SHA1
2e1a5fa087619bce0d479d4ab1eea488e5175c63
-
SHA256
494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e
-
SHA512
76640bdcd8991fca07fcb114a8ed06a906f69f99a8efcfade89c2281d2fb13fa9d92271b91b0aae510e8efb20e215c07ed9a05fb667a37fdc1281fda206e1fa1
-
SSDEEP
1536:iMd0w4jbj5IWaVX0fiHptqFIFt5gJSuubsaSIenqEGXu/Ub0VkVNK:is0w4jH5IWaVXSJFIFtmJ3ubsnnqEGXw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnneja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfokbnip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqalka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe -
Executes dropped EXE 64 IoCs
pid Process 1716 Cgpgce32.exe 2592 Cnippoha.exe 2700 Cfeddafl.exe 2844 Chcqpmep.exe 2528 Cbkeib32.exe 2496 Cfgaiaci.exe 3008 Ckdjbh32.exe 2396 Cfinoq32.exe 832 Chhjkl32.exe 1860 Ckffgg32.exe 308 Ddokpmfo.exe 1632 Dgmglh32.exe 2408 Dngoibmo.exe 1244 Dqelenlc.exe 2920 Dkkpbgli.exe 2872 Dnilobkm.exe 776 Ddcdkl32.exe 1492 Dkmmhf32.exe 296 Dnlidb32.exe 1540 Dqjepm32.exe 3020 Dfgmhd32.exe 1776 Dnneja32.exe 976 Doobajme.exe 756 Dgfjbgmh.exe 2360 Dgfjbgmh.exe 2076 Djefobmk.exe 2908 Eflgccbp.exe 2092 Ejgcdb32.exe 2440 Ebbgid32.exe 3036 Efncicpm.exe 2848 Ekklaj32.exe 2768 Enihne32.exe 2800 Eiomkn32.exe 2572 Epieghdk.exe 1068 Eeempocb.exe 1580 Egdilkbf.exe 1916 Eloemi32.exe 1672 Fehjeo32.exe 1420 Fnpnndgp.exe 1684 Faokjpfd.exe 1404 Fcmgfkeg.exe 1308 Fmekoalh.exe 2868 Fpdhklkl.exe 672 Fjilieka.exe 1092 Facdeo32.exe 2688 Fpfdalii.exe 2808 Fbdqmghm.exe 3040 Fjlhneio.exe 1604 Fioija32.exe 108 Fmjejphb.exe 2448 Flmefm32.exe 3012 Fddmgjpo.exe 1592 Fbgmbg32.exe 2948 Feeiob32.exe 2616 Globlmmj.exe 2656 Gbijhg32.exe 2636 Gegfdb32.exe 2516 Glaoalkh.exe 2936 Gpmjak32.exe 1428 Gopkmhjk.exe 2024 Gbkgnfbd.exe 1316 Gejcjbah.exe 2476 Ghhofmql.exe 1572 Gldkfl32.exe -
Loads dropped DLL 64 IoCs
pid Process 848 494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe 848 494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe 1716 Cgpgce32.exe 1716 Cgpgce32.exe 2592 Cnippoha.exe 2592 Cnippoha.exe 2700 Cfeddafl.exe 2700 Cfeddafl.exe 2844 Chcqpmep.exe 2844 Chcqpmep.exe 2528 Cbkeib32.exe 2528 Cbkeib32.exe 2496 Cfgaiaci.exe 2496 Cfgaiaci.exe 3008 Ckdjbh32.exe 3008 Ckdjbh32.exe 2396 Cfinoq32.exe 2396 Cfinoq32.exe 832 Chhjkl32.exe 832 Chhjkl32.exe 1860 Ckffgg32.exe 1860 Ckffgg32.exe 308 Ddokpmfo.exe 308 Ddokpmfo.exe 1632 Dgmglh32.exe 1632 Dgmglh32.exe 2408 Dngoibmo.exe 2408 Dngoibmo.exe 1244 Dqelenlc.exe 1244 Dqelenlc.exe 2920 Dkkpbgli.exe 2920 Dkkpbgli.exe 2872 Dnilobkm.exe 2872 Dnilobkm.exe 776 Ddcdkl32.exe 776 Ddcdkl32.exe 1492 Dkmmhf32.exe 1492 Dkmmhf32.exe 296 Dnlidb32.exe 296 Dnlidb32.exe 1540 Dqjepm32.exe 1540 Dqjepm32.exe 3020 Dfgmhd32.exe 3020 Dfgmhd32.exe 1776 Dnneja32.exe 1776 Dnneja32.exe 976 Doobajme.exe 976 Doobajme.exe 756 Dgfjbgmh.exe 756 Dgfjbgmh.exe 2360 Dgfjbgmh.exe 2360 Dgfjbgmh.exe 2076 Djefobmk.exe 2076 Djefobmk.exe 2908 Eflgccbp.exe 2908 Eflgccbp.exe 2092 Ejgcdb32.exe 2092 Ejgcdb32.exe 2440 Ebbgid32.exe 2440 Ebbgid32.exe 3036 Efncicpm.exe 3036 Efncicpm.exe 2848 Ekklaj32.exe 2848 Ekklaj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cqmnhocj.dll Fnpnndgp.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Fmekoalh.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Nehmdhja.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qpgpkcpp.exe File created C:\Windows\SysWOW64\Eloemi32.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Pnbgan32.dll Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Apimacnn.exe Alnqqd32.exe File created C:\Windows\SysWOW64\Kgiaak32.dll Jqdipqbp.exe File opened for modification C:\Windows\SysWOW64\Lpphap32.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Eqpgol32.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Ghhofmql.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Glaoalkh.exe File created C:\Windows\SysWOW64\Oceaboqg.dll Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File created C:\Windows\SysWOW64\Dgfjbgmh.exe Doobajme.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fcmgfkeg.exe File created C:\Windows\SysWOW64\Eiomkn32.exe Enihne32.exe File opened for modification C:\Windows\SysWOW64\Lhmjkaoc.exe Leonofpp.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dgmglh32.exe File created C:\Windows\SysWOW64\Dqjepm32.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Bfcampgf.exe Bbhela32.exe File created C:\Windows\SysWOW64\Cdbdjhmp.exe Cadhnmnm.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Npfgpe32.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Icmlam32.exe Idklfpon.exe File opened for modification C:\Windows\SysWOW64\Lajhofao.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Iknnbklc.exe Idceea32.exe File created C:\Windows\SysWOW64\Ghlpli32.dll Ifcbodli.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File opened for modification C:\Windows\SysWOW64\Lpdbloof.exe Lhmjkaoc.exe File opened for modification C:\Windows\SysWOW64\Lkncmmle.exe Lhpfqama.exe File opened for modification C:\Windows\SysWOW64\Mcegmm32.exe Mpfkqb32.exe File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bfadgq32.exe File opened for modification C:\Windows\SysWOW64\Chpmpg32.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Kihqkagp.exe Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Kcdnao32.exe Kafbec32.exe File created C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Dpmqjgdc.dll Pclfkc32.exe File opened for modification C:\Windows\SysWOW64\Ccngld32.exe Cdlgpgef.exe File created C:\Windows\SysWOW64\Gpmjak32.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Eiehea32.dll Inqcif32.exe File created C:\Windows\SysWOW64\Gojbjm32.dll Ccahbp32.exe File created C:\Windows\SysWOW64\Jjhhpp32.dll Cddaphkn.exe File created C:\Windows\SysWOW64\Jchafg32.dll Dliijipn.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lemaif32.exe File created C:\Windows\SysWOW64\Fbbkkjih.dll Meagci32.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Njabih32.dll Bpnbkeld.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dojald32.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Fcmgfkeg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4184 4148 WerFault.exe 394 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnmehnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonahjjd.dll" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkbhikj.dll" Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjdbp32.dll" Qcpofbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekkkkhe.dll" Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakomajq.dll" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll" Emkaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoado32.dll" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll" Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limilm32.dll" Kgbggnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdhhh32.dll" Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgecelp.dll" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlilc32.dll" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbgbdkh.dll" Oqmmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjlmo32.dll" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jifdebic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpo32.dll" Mbpnanch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqdipqbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 848 wrote to memory of 1716 848 494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe 28 PID 848 wrote to memory of 1716 848 494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe 28 PID 848 wrote to memory of 1716 848 494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe 28 PID 848 wrote to memory of 1716 848 494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe 28 PID 1716 wrote to memory of 2592 1716 Cgpgce32.exe 29 PID 1716 wrote to memory of 2592 1716 Cgpgce32.exe 29 PID 1716 wrote to memory of 2592 1716 Cgpgce32.exe 29 PID 1716 wrote to memory of 2592 1716 Cgpgce32.exe 29 PID 2592 wrote to memory of 2700 2592 Cnippoha.exe 30 PID 2592 wrote to memory of 2700 2592 Cnippoha.exe 30 PID 2592 wrote to memory of 2700 2592 Cnippoha.exe 30 PID 2592 wrote to memory of 2700 2592 Cnippoha.exe 30 PID 2700 wrote to memory of 2844 2700 Cfeddafl.exe 31 PID 2700 wrote to memory of 2844 2700 Cfeddafl.exe 31 PID 2700 wrote to memory of 2844 2700 Cfeddafl.exe 31 PID 2700 wrote to memory of 2844 2700 Cfeddafl.exe 31 PID 2844 wrote to memory of 2528 2844 Chcqpmep.exe 32 PID 2844 wrote to memory of 2528 2844 Chcqpmep.exe 32 PID 2844 wrote to memory of 2528 2844 Chcqpmep.exe 32 PID 2844 wrote to memory of 2528 2844 Chcqpmep.exe 32 PID 2528 wrote to memory of 2496 2528 Cbkeib32.exe 33 PID 2528 wrote to memory of 2496 2528 Cbkeib32.exe 33 PID 2528 wrote to memory of 2496 2528 Cbkeib32.exe 33 PID 2528 wrote to memory of 2496 2528 Cbkeib32.exe 33 PID 2496 wrote to memory of 3008 2496 Cfgaiaci.exe 34 PID 2496 wrote to memory of 3008 2496 Cfgaiaci.exe 34 PID 2496 wrote to memory of 3008 2496 Cfgaiaci.exe 34 PID 2496 wrote to memory of 3008 2496 Cfgaiaci.exe 34 PID 3008 wrote to memory of 2396 3008 Ckdjbh32.exe 35 PID 3008 wrote to memory of 2396 3008 Ckdjbh32.exe 35 PID 3008 wrote to memory of 2396 3008 Ckdjbh32.exe 35 PID 3008 wrote to memory of 2396 3008 Ckdjbh32.exe 35 PID 2396 wrote to memory of 832 2396 Cfinoq32.exe 36 PID 2396 wrote to memory of 832 2396 Cfinoq32.exe 36 PID 2396 wrote to memory of 832 2396 Cfinoq32.exe 36 PID 2396 wrote to memory of 832 2396 Cfinoq32.exe 36 PID 832 wrote to memory of 1860 832 Chhjkl32.exe 37 PID 832 wrote to memory of 1860 832 Chhjkl32.exe 37 PID 832 wrote to memory of 1860 832 Chhjkl32.exe 37 PID 832 wrote to memory of 1860 832 Chhjkl32.exe 37 PID 1860 wrote to memory of 308 1860 Ckffgg32.exe 38 PID 1860 wrote to memory of 308 1860 Ckffgg32.exe 38 PID 1860 wrote to memory of 308 1860 Ckffgg32.exe 38 PID 1860 wrote to memory of 308 1860 Ckffgg32.exe 38 PID 308 wrote to memory of 1632 308 Ddokpmfo.exe 39 PID 308 wrote to memory of 1632 308 Ddokpmfo.exe 39 PID 308 wrote to memory of 1632 308 Ddokpmfo.exe 39 PID 308 wrote to memory of 1632 308 Ddokpmfo.exe 39 PID 1632 wrote to memory of 2408 1632 Dgmglh32.exe 40 PID 1632 wrote to memory of 2408 1632 Dgmglh32.exe 40 PID 1632 wrote to memory of 2408 1632 Dgmglh32.exe 40 PID 1632 wrote to memory of 2408 1632 Dgmglh32.exe 40 PID 2408 wrote to memory of 1244 2408 Dngoibmo.exe 41 PID 2408 wrote to memory of 1244 2408 Dngoibmo.exe 41 PID 2408 wrote to memory of 1244 2408 Dngoibmo.exe 41 PID 2408 wrote to memory of 1244 2408 Dngoibmo.exe 41 PID 1244 wrote to memory of 2920 1244 Dqelenlc.exe 42 PID 1244 wrote to memory of 2920 1244 Dqelenlc.exe 42 PID 1244 wrote to memory of 2920 1244 Dqelenlc.exe 42 PID 1244 wrote to memory of 2920 1244 Dqelenlc.exe 42 PID 2920 wrote to memory of 2872 2920 Dkkpbgli.exe 43 PID 2920 wrote to memory of 2872 2920 Dkkpbgli.exe 43 PID 2920 wrote to memory of 2872 2920 Dkkpbgli.exe 43 PID 2920 wrote to memory of 2872 2920 Dkkpbgli.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\494c88f999c5b9b09f350ec1378b50df2ce5a9264731725d05dfc8936c38814e_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:296 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe34⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe36⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe38⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe39⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe44⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe45⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe46⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe50⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe51⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe52⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe54⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe55⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe57⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe58⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe60⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe61⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe62⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe65⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe66⤵PID:2324
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe67⤵PID:2104
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe68⤵PID:2300
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe70⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe71⤵PID:1532
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe73⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe74⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe75⤵PID:1188
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe76⤵PID:2704
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe77⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe78⤵PID:1128
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe80⤵PID:2784
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe81⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe82⤵
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe83⤵PID:2812
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe84⤵PID:2056
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe87⤵PID:892
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe88⤵PID:1268
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe89⤵PID:1788
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe90⤵PID:2696
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe91⤵PID:2752
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe92⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe93⤵PID:2932
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe94⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe95⤵PID:1608
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe96⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe97⤵PID:1324
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe98⤵PID:2804
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe99⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:596 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe103⤵PID:2144
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe104⤵PID:1588
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe105⤵PID:2720
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe106⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe107⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe108⤵PID:1724
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe109⤵PID:2928
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe110⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe112⤵PID:2412
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe114⤵PID:1456
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe116⤵PID:2196
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe117⤵PID:2084
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe118⤵PID:2756
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe120⤵PID:1664
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe121⤵
- Drops file in System32 directory
PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-