Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 17:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe
-
Size
240KB
-
MD5
243d5c15fdc47ddf695d8be43f1bc460
-
SHA1
6801cd1543f3b37cc6ab0282e34ae4be1281213e
-
SHA256
100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352
-
SHA512
3027abf86e3e9449c16fe7719b029d96cbaa641424086b34fbf48e5fde7a882f9e2b604af758f12a0b16a6cd59a4c6bd05e8ef2b0707bc9f954f2129bf7009ac
-
SSDEEP
6144:gt+hIFYcGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:m3GyXu1jGG1wsGeBgRTGA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbpnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jolepe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depbfhpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidiekdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmbng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkifkdjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckecpjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idmkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jenbjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pebbcdkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neklbppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfhmqhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbmfkkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjbafi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Picojhcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddiibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjeinje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbiocd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olchjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiaefgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qanmcdlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehoocgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbleeb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2800 Jnicmdli.exe 2712 Jbgkcb32.exe 2852 Jnmlhchd.exe 2536 Jgfqaiod.exe 2556 Kqqboncb.exe 2576 Kjifhc32.exe 2976 Kfpgmdog.exe 688 Kklpekno.exe 2820 Kiqpop32.exe 1748 Kaldcb32.exe 2028 Kjdilgpc.exe 2908 Leljop32.exe 1644 Ljibgg32.exe 2384 Lmikibio.exe 2880 Lpjdjmfp.exe 1976 Mooaljkh.exe 284 Mieeibkn.exe 2380 Migbnb32.exe 236 Modkfi32.exe 1740 Mkklljmg.exe 1860 Maedhd32.exe 904 Magqncba.exe 2584 Nmnace32.exe 2148 Niebhf32.exe 2080 Nekbmgcn.exe 2256 Nodgel32.exe 2416 Nhllob32.exe 2692 Nadpgggp.exe 2612 Nkmdpm32.exe 2620 Ohaeia32.exe 2752 Ohcaoajg.exe 2564 Oalfhf32.exe 1052 Okdkal32.exe 2760 Onbgmg32.exe 592 Ogkkfmml.exe 2484 Odoloalf.exe 2500 Pngphgbf.exe 308 Pfbelipa.exe 1912 Pcfefmnk.exe 1640 Pqjfoa32.exe 752 Pkdgpo32.exe 912 Pfikmh32.exe 2336 Pndpajgd.exe 1636 Qgmdjp32.exe 2724 Qeaedd32.exe 1480 Qjnmlk32.exe 2996 Aecaidjl.exe 2064 Cgbfamff.exe 2248 Chfpoeja.exe 1664 Cophko32.exe 3024 Cejphiik.exe 1056 Dkgippgb.exe 2212 Daqamj32.exe 3036 Dhkiid32.exe 3056 Dngabk32.exe 2672 Dhmfod32.exe 2736 Dnjngk32.exe 2984 Dddfdejn.exe 2804 Djqoll32.exe 2636 Ddfcje32.exe 2180 Djclbl32.exe 1816 Ddhpod32.exe 2172 Ejehgkdp.exe 1320 Eobapbbg.exe -
Loads dropped DLL 64 IoCs
pid Process 1476 100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe 1476 100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe 2800 Jnicmdli.exe 2800 Jnicmdli.exe 2712 Jbgkcb32.exe 2712 Jbgkcb32.exe 2852 Jnmlhchd.exe 2852 Jnmlhchd.exe 2536 Jgfqaiod.exe 2536 Jgfqaiod.exe 2556 Kqqboncb.exe 2556 Kqqboncb.exe 2576 Kjifhc32.exe 2576 Kjifhc32.exe 2976 Kfpgmdog.exe 2976 Kfpgmdog.exe 688 Kklpekno.exe 688 Kklpekno.exe 2820 Kiqpop32.exe 2820 Kiqpop32.exe 1748 Kaldcb32.exe 1748 Kaldcb32.exe 2028 Kjdilgpc.exe 2028 Kjdilgpc.exe 2908 Leljop32.exe 2908 Leljop32.exe 1644 Ljibgg32.exe 1644 Ljibgg32.exe 2384 Lmikibio.exe 2384 Lmikibio.exe 2880 Lpjdjmfp.exe 2880 Lpjdjmfp.exe 1976 Mooaljkh.exe 1976 Mooaljkh.exe 284 Mieeibkn.exe 284 Mieeibkn.exe 2380 Migbnb32.exe 2380 Migbnb32.exe 236 Modkfi32.exe 236 Modkfi32.exe 1740 Mkklljmg.exe 1740 Mkklljmg.exe 1860 Maedhd32.exe 1860 Maedhd32.exe 904 Magqncba.exe 904 Magqncba.exe 2584 Nmnace32.exe 2584 Nmnace32.exe 2148 Niebhf32.exe 2148 Niebhf32.exe 2080 Nekbmgcn.exe 2080 Nekbmgcn.exe 2256 Nodgel32.exe 2256 Nodgel32.exe 2416 Nhllob32.exe 2416 Nhllob32.exe 2692 Nadpgggp.exe 2692 Nadpgggp.exe 2612 Nkmdpm32.exe 2612 Nkmdpm32.exe 2620 Ohaeia32.exe 2620 Ohaeia32.exe 2752 Ohcaoajg.exe 2752 Ohcaoajg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pqjfoa32.exe Pcfefmnk.exe File opened for modification C:\Windows\SysWOW64\Oehklddp.exe Odgodl32.exe File created C:\Windows\SysWOW64\Jlnaae32.dll Iiqldc32.exe File opened for modification C:\Windows\SysWOW64\Nqmnjd32.exe Nnnbni32.exe File created C:\Windows\SysWOW64\Cmkfji32.exe Cgnnab32.exe File created C:\Windows\SysWOW64\Glmbma32.dll Lcdjpfgh.exe File opened for modification C:\Windows\SysWOW64\Oidiekdn.exe Olpilg32.exe File created C:\Windows\SysWOW64\Ibagdh32.dll Foahmh32.exe File opened for modification C:\Windows\SysWOW64\Kjhcag32.exe Kdnkdmec.exe File created C:\Windows\SysWOW64\Mfkbpc32.dll Ohaeia32.exe File created C:\Windows\SysWOW64\Eiilephi.dll Lcblan32.exe File created C:\Windows\SysWOW64\Ficehj32.exe Ffdilo32.exe File opened for modification C:\Windows\SysWOW64\Hnpgloog.exe Hkbkpcpd.exe File opened for modification C:\Windows\SysWOW64\Pofldf32.exe Process not Found File created C:\Windows\SysWOW64\Lefikg32.exe Process not Found File created C:\Windows\SysWOW64\Enbnkigh.exe Ddiibc32.exe File opened for modification C:\Windows\SysWOW64\Plolgk32.exe Pphkbj32.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fooembgb.exe File opened for modification C:\Windows\SysWOW64\Iejkhlip.exe Iblola32.exe File opened for modification C:\Windows\SysWOW64\Dodahk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iaobkf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Leoolamp.dll Npolmh32.exe File created C:\Windows\SysWOW64\Nlqiie32.dll Process not Found File created C:\Windows\SysWOW64\Hkclkc32.dll Process not Found File created C:\Windows\SysWOW64\Ndpicm32.exe Naalga32.exe File created C:\Windows\SysWOW64\Llgjaeoj.exe Lcofio32.exe File created C:\Windows\SysWOW64\Makkcc32.exe Mgegfk32.exe File created C:\Windows\SysWOW64\Egfjdchi.exe Enneln32.exe File opened for modification C:\Windows\SysWOW64\Icgdcm32.exe Process not Found File created C:\Windows\SysWOW64\Giioglkn.dll Ghmkjedk.exe File created C:\Windows\SysWOW64\Dhnhab32.dll Dhbdleol.exe File created C:\Windows\SysWOW64\Opjkpo32.exe Ojmbgh32.exe File created C:\Windows\SysWOW64\Kpaphegf.dll Mkofaj32.exe File opened for modification C:\Windows\SysWOW64\Cdngip32.exe Caokmd32.exe File created C:\Windows\SysWOW64\Cdfgmnpa.exe Process not Found File created C:\Windows\SysWOW64\Cgekkhbb.dll Opfbngfb.exe File opened for modification C:\Windows\SysWOW64\Kpicle32.exe Kkjnnn32.exe File created C:\Windows\SysWOW64\Kjheobko.dll Process not Found File created C:\Windows\SysWOW64\Oionacqo.exe Nadimacd.exe File created C:\Windows\SysWOW64\Cmbalfem.exe Cfhiplmp.exe File created C:\Windows\SysWOW64\Kfaalh32.exe Koflgf32.exe File created C:\Windows\SysWOW64\Lekjal32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkhdnh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe Koflgf32.exe File created C:\Windows\SysWOW64\Jmlfmn32.exe Jkkjeeke.exe File created C:\Windows\SysWOW64\Ncaean32.dll Fabmmejd.exe File opened for modification C:\Windows\SysWOW64\Pfbelipa.exe Pngphgbf.exe File opened for modification C:\Windows\SysWOW64\Palepb32.exe Plolgk32.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nbjeinje.exe File created C:\Windows\SysWOW64\Mgdeifom.dll Cfhkhd32.exe File created C:\Windows\SysWOW64\Bmbhcoif.dll Agpeaa32.exe File created C:\Windows\SysWOW64\Gcedad32.exe Gmhkin32.exe File created C:\Windows\SysWOW64\Gfcopl32.exe Gpjfcali.exe File created C:\Windows\SysWOW64\Ijehdl32.exe Ioohokoo.exe File opened for modification C:\Windows\SysWOW64\Jeqopcld.exe Jlhkgm32.exe File opened for modification C:\Windows\SysWOW64\Mfmqmgbm.exe Mdldeo32.exe File created C:\Windows\SysWOW64\Ojmbgh32.exe Occjjnap.exe File opened for modification C:\Windows\SysWOW64\Okbapi32.exe Oqmmbqgd.exe File opened for modification C:\Windows\SysWOW64\Laogfg32.exe Process not Found File created C:\Windows\SysWOW64\Hkojbh32.dll Oehklddp.exe File created C:\Windows\SysWOW64\Gckmjbbc.dll Ajmfad32.exe File opened for modification C:\Windows\SysWOW64\Niebhf32.exe Nmnace32.exe File created C:\Windows\SysWOW64\Ndnmialh.exe Nndemg32.exe -
Program crash 1 IoCs
pid pid_target Process 3608 4076 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdoomf32.dll" Fqlicclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phploedo.dll" Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmkfaia.dll" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkadbc32.dll" Qblfkgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkohlcb.dll" Hdgkicek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mooaljkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imhqbkbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddfcje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhjneadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abeoed32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnifgpff.dll" Kdbpnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joqgkdem.dll" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalab32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnlhaii.dll" Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinafidh.dll" Npdfhhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebepdj32.dll" Eimcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naegmabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfnin32.dll" Hebnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnofaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monoflqe.dll" Djiqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppcmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpcblfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqmpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemnfnhd.dll" Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhplbf.dll" Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqhfa32.dll" Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemmkpog.dll" Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfnge32.dll" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmphha32.dll" Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqodfpah.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqhhanig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaaidm.dll" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfhi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflhek32.dll" Hjddaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kncofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdoime32.dll" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcklc32.dll" Cejphiik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioilkblq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcjnfdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miclhpjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdqiiaih.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2800 1476 100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe 28 PID 1476 wrote to memory of 2800 1476 100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe 28 PID 1476 wrote to memory of 2800 1476 100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe 28 PID 1476 wrote to memory of 2800 1476 100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe 28 PID 2800 wrote to memory of 2712 2800 Jnicmdli.exe 29 PID 2800 wrote to memory of 2712 2800 Jnicmdli.exe 29 PID 2800 wrote to memory of 2712 2800 Jnicmdli.exe 29 PID 2800 wrote to memory of 2712 2800 Jnicmdli.exe 29 PID 2712 wrote to memory of 2852 2712 Jbgkcb32.exe 30 PID 2712 wrote to memory of 2852 2712 Jbgkcb32.exe 30 PID 2712 wrote to memory of 2852 2712 Jbgkcb32.exe 30 PID 2712 wrote to memory of 2852 2712 Jbgkcb32.exe 30 PID 2852 wrote to memory of 2536 2852 Jnmlhchd.exe 31 PID 2852 wrote to memory of 2536 2852 Jnmlhchd.exe 31 PID 2852 wrote to memory of 2536 2852 Jnmlhchd.exe 31 PID 2852 wrote to memory of 2536 2852 Jnmlhchd.exe 31 PID 2536 wrote to memory of 2556 2536 Jgfqaiod.exe 32 PID 2536 wrote to memory of 2556 2536 Jgfqaiod.exe 32 PID 2536 wrote to memory of 2556 2536 Jgfqaiod.exe 32 PID 2536 wrote to memory of 2556 2536 Jgfqaiod.exe 32 PID 2556 wrote to memory of 2576 2556 Kqqboncb.exe 33 PID 2556 wrote to memory of 2576 2556 Kqqboncb.exe 33 PID 2556 wrote to memory of 2576 2556 Kqqboncb.exe 33 PID 2556 wrote to memory of 2576 2556 Kqqboncb.exe 33 PID 2576 wrote to memory of 2976 2576 Kjifhc32.exe 34 PID 2576 wrote to memory of 2976 2576 Kjifhc32.exe 34 PID 2576 wrote to memory of 2976 2576 Kjifhc32.exe 34 PID 2576 wrote to memory of 2976 2576 Kjifhc32.exe 34 PID 2976 wrote to memory of 688 2976 Kfpgmdog.exe 35 PID 2976 wrote to memory of 688 2976 Kfpgmdog.exe 35 PID 2976 wrote to memory of 688 2976 Kfpgmdog.exe 35 PID 2976 wrote to memory of 688 2976 Kfpgmdog.exe 35 PID 688 wrote to memory of 2820 688 Kklpekno.exe 36 PID 688 wrote to memory of 2820 688 Kklpekno.exe 36 PID 688 wrote to memory of 2820 688 Kklpekno.exe 36 PID 688 wrote to memory of 2820 688 Kklpekno.exe 36 PID 2820 wrote to memory of 1748 2820 Kiqpop32.exe 37 PID 2820 wrote to memory of 1748 2820 Kiqpop32.exe 37 PID 2820 wrote to memory of 1748 2820 Kiqpop32.exe 37 PID 2820 wrote to memory of 1748 2820 Kiqpop32.exe 37 PID 1748 wrote to memory of 2028 1748 Kaldcb32.exe 38 PID 1748 wrote to memory of 2028 1748 Kaldcb32.exe 38 PID 1748 wrote to memory of 2028 1748 Kaldcb32.exe 38 PID 1748 wrote to memory of 2028 1748 Kaldcb32.exe 38 PID 2028 wrote to memory of 2908 2028 Kjdilgpc.exe 39 PID 2028 wrote to memory of 2908 2028 Kjdilgpc.exe 39 PID 2028 wrote to memory of 2908 2028 Kjdilgpc.exe 39 PID 2028 wrote to memory of 2908 2028 Kjdilgpc.exe 39 PID 2908 wrote to memory of 1644 2908 Leljop32.exe 40 PID 2908 wrote to memory of 1644 2908 Leljop32.exe 40 PID 2908 wrote to memory of 1644 2908 Leljop32.exe 40 PID 2908 wrote to memory of 1644 2908 Leljop32.exe 40 PID 1644 wrote to memory of 2384 1644 Ljibgg32.exe 41 PID 1644 wrote to memory of 2384 1644 Ljibgg32.exe 41 PID 1644 wrote to memory of 2384 1644 Ljibgg32.exe 41 PID 1644 wrote to memory of 2384 1644 Ljibgg32.exe 41 PID 2384 wrote to memory of 2880 2384 Lmikibio.exe 42 PID 2384 wrote to memory of 2880 2384 Lmikibio.exe 42 PID 2384 wrote to memory of 2880 2384 Lmikibio.exe 42 PID 2384 wrote to memory of 2880 2384 Lmikibio.exe 42 PID 2880 wrote to memory of 1976 2880 Lpjdjmfp.exe 43 PID 2880 wrote to memory of 1976 2880 Lpjdjmfp.exe 43 PID 2880 wrote to memory of 1976 2880 Lpjdjmfp.exe 43 PID 2880 wrote to memory of 1976 2880 Lpjdjmfp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\100d29d877123cd7798d2303369105dc7f4a541b020d3e00c655e2eecb6f8352_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:284 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe33⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe34⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe35⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe36⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe37⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe39⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe42⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe43⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe44⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe45⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe46⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe47⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe49⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe50⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe51⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe53⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe54⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe55⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe56⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe57⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe58⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe59⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe60⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe62⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe63⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe64⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe65⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe66⤵PID:2684
-
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe67⤵PID:1936
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe68⤵PID:1804
-
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe70⤵PID:1492
-
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe72⤵PID:1928
-
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe74⤵PID:2644
-
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe75⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe76⤵PID:1164
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe77⤵PID:3048
-
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe78⤵PID:2628
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe79⤵PID:2600
-
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe80⤵PID:840
-
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe81⤵PID:1944
-
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe82⤵PID:2932
-
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe83⤵PID:1208
-
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe84⤵PID:1620
-
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe85⤵PID:2144
-
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe86⤵PID:2396
-
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe87⤵PID:2068
-
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe88⤵PID:1940
-
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe89⤵PID:1532
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe90⤵PID:1656
-
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe91⤵PID:2592
-
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe92⤵PID:1792
-
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe93⤵PID:580
-
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe94⤵PID:936
-
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe95⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe96⤵PID:1676
-
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe97⤵PID:2720
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe98⤵PID:1680
-
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe99⤵PID:2372
-
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe100⤵PID:2832
-
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe101⤵PID:436
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe103⤵PID:2420
-
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe104⤵PID:1528
-
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe105⤵PID:1608
-
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe106⤵PID:2232
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe107⤵PID:2700
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe108⤵PID:2656
-
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe109⤵PID:2228
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe110⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe111⤵PID:2744
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe112⤵PID:684
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe113⤵PID:1048
-
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe114⤵PID:2864
-
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe115⤵PID:2580
-
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe116⤵PID:2288
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe117⤵PID:2980
-
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe119⤵PID:2016
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe120⤵PID:2472
-
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe121⤵
- Modifies registry class
PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-