Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe
-
Size
96KB
-
MD5
520b0c73ec4ef2ec7f5a25407b5e2dd0
-
SHA1
7d2bb2332761f5f396e6d84dda5750979f3518bd
-
SHA256
d2663f2ac94fef5fdff08dd1bf5cd726c6d55d11fa04754b5081a73749f853ed
-
SHA512
a1ef66e5571ad86b0adf4ad16931d7d6d3812fd187f479c64400d355f315960536759da10d8101bee58da949bf15cff4060023b5081a3ad820aba02b39e70987
-
SSDEEP
3072:ATOh/vgfZBNzZZ9LugS7jy8GId69jc0v:npgxtRS4Id6NV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjmkcbcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnbkddem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdlblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hknach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2144 Qhmbagfa.exe 2708 Qjknnbed.exe 2572 Qaefjm32.exe 2628 Qdccfh32.exe 2716 Qljkhe32.exe 2568 Qjmkcbcb.exe 2496 Qmlgonbe.exe 3060 Qagcpljo.exe 1268 Adeplhib.exe 1732 Ahakmf32.exe 1716 Ajphib32.exe 1564 Ankdiqih.exe 1512 Aajpelhl.exe 2836 Adhlaggp.exe 1168 Ahchbf32.exe 1228 Ajbdna32.exe 2052 Aiedjneg.exe 1888 Ampqjm32.exe 840 Apomfh32.exe 2808 Adjigg32.exe 1660 Ajdadamj.exe 1012 Aigaon32.exe 2408 Ambmpmln.exe 2348 Apajlhka.exe 2896 Admemg32.exe 860 Abpfhcje.exe 2920 Aiinen32.exe 2928 Alhjai32.exe 2476 Apcfahio.exe 2996 Abbbnchb.exe 2780 Afmonbqk.exe 2440 Ailkjmpo.exe 1192 Ahokfj32.exe 1668 Bpfcgg32.exe 2436 Boiccdnf.exe 2756 Bagpopmj.exe 1616 Bingpmnl.exe 1328 Bhahlj32.exe 340 Bokphdld.exe 1304 Bdhhqk32.exe 2188 Bhcdaibd.exe 1776 Bkaqmeah.exe 2088 Bommnc32.exe 536 Balijo32.exe 2960 Bdjefj32.exe 836 Bhfagipa.exe 2684 Bkdmcdoe.exe 1112 Bnbjopoi.exe 2916 Banepo32.exe 944 Bpafkknm.exe 2732 Bdlblj32.exe 2544 Bhhnli32.exe 2760 Bkfjhd32.exe 1092 Bnefdp32.exe 2632 Baqbenep.exe 1636 Bdooajdc.exe 1148 Bcaomf32.exe 2396 Ckignd32.exe 1072 Cjlgiqbk.exe 780 Cngcjo32.exe 1768 Cljcelan.exe 2120 Cdakgibq.exe 2992 Ccdlbf32.exe 2060 Ccdlbf32.exe -
Loads dropped DLL 64 IoCs
pid Process 3048 520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe 3048 520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe 2144 Qhmbagfa.exe 2144 Qhmbagfa.exe 2708 Qjknnbed.exe 2708 Qjknnbed.exe 2572 Qaefjm32.exe 2572 Qaefjm32.exe 2628 Qdccfh32.exe 2628 Qdccfh32.exe 2716 Qljkhe32.exe 2716 Qljkhe32.exe 2568 Qjmkcbcb.exe 2568 Qjmkcbcb.exe 2496 Qmlgonbe.exe 2496 Qmlgonbe.exe 3060 Qagcpljo.exe 3060 Qagcpljo.exe 1268 Adeplhib.exe 1268 Adeplhib.exe 1732 Ahakmf32.exe 1732 Ahakmf32.exe 1716 Ajphib32.exe 1716 Ajphib32.exe 1564 Ankdiqih.exe 1564 Ankdiqih.exe 1512 Aajpelhl.exe 1512 Aajpelhl.exe 2836 Adhlaggp.exe 2836 Adhlaggp.exe 1168 Ahchbf32.exe 1168 Ahchbf32.exe 1228 Ajbdna32.exe 1228 Ajbdna32.exe 2052 Aiedjneg.exe 2052 Aiedjneg.exe 1888 Ampqjm32.exe 1888 Ampqjm32.exe 840 Apomfh32.exe 840 Apomfh32.exe 2808 Adjigg32.exe 2808 Adjigg32.exe 1660 Ajdadamj.exe 1660 Ajdadamj.exe 1012 Aigaon32.exe 1012 Aigaon32.exe 2408 Ambmpmln.exe 2408 Ambmpmln.exe 2348 Apajlhka.exe 2348 Apajlhka.exe 2896 Admemg32.exe 2896 Admemg32.exe 860 Abpfhcje.exe 860 Abpfhcje.exe 2920 Aiinen32.exe 2920 Aiinen32.exe 2928 Alhjai32.exe 2928 Alhjai32.exe 2476 Apcfahio.exe 2476 Apcfahio.exe 2996 Abbbnchb.exe 2996 Abbbnchb.exe 2780 Afmonbqk.exe 2780 Afmonbqk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File created C:\Windows\SysWOW64\Faokjpfd.exe Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Gkgkbipp.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Ljpghahi.dll Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Ddflckmp.dll Bhhnli32.exe File created C:\Windows\SysWOW64\Keledb32.dll Cfinoq32.exe File created C:\Windows\SysWOW64\Ggpimica.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Hllopfgo.dll Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe 520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Bnkajj32.dll Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Aigaon32.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cljcelan.exe File created C:\Windows\SysWOW64\Hgmhlp32.dll Dcfdgiid.exe File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Efppoc32.exe File opened for modification C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Cfinoq32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Ekklaj32.exe File created C:\Windows\SysWOW64\Ebinic32.exe Ennaieib.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dkhcmgnl.exe File created C:\Windows\SysWOW64\Pafagk32.dll Doobajme.exe File created C:\Windows\SysWOW64\Cciemedf.exe Comimg32.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Cillgpen.dll Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Gieojq32.exe Gejcjbah.exe File opened for modification C:\Windows\SysWOW64\Qjmkcbcb.exe Qljkhe32.exe File created C:\Windows\SysWOW64\Dmljjm32.dll Cgbdhd32.exe File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Jkamkfgh.dll Facdeo32.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Ailkjmpo.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Oockje32.dll Chemfl32.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Qdoneabg.dll Bommnc32.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Cjbmjplb.exe Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Kcaipkch.dll Gkkemh32.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Apajlhka.exe Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Hghmjpap.dll Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Ghoegl32.exe File created C:\Windows\SysWOW64\Lkebie32.dll Bdhhqk32.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cjbmjplb.exe -
Program crash 1 IoCs
pid pid_target Process 2200 1836 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfdcg32.dll" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqpjbf32.dll" Cjndop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokefmej.dll" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbenjka.dll" Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfbdd32.dll" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leajegob.dll" Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Baqbenep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" Cjlgiqbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qefpjhef.dll" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinika32.dll" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajbdna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" Chhjkl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2144 3048 520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 2144 3048 520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 2144 3048 520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 2144 3048 520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe 28 PID 2144 wrote to memory of 2708 2144 Qhmbagfa.exe 29 PID 2144 wrote to memory of 2708 2144 Qhmbagfa.exe 29 PID 2144 wrote to memory of 2708 2144 Qhmbagfa.exe 29 PID 2144 wrote to memory of 2708 2144 Qhmbagfa.exe 29 PID 2708 wrote to memory of 2572 2708 Qjknnbed.exe 30 PID 2708 wrote to memory of 2572 2708 Qjknnbed.exe 30 PID 2708 wrote to memory of 2572 2708 Qjknnbed.exe 30 PID 2708 wrote to memory of 2572 2708 Qjknnbed.exe 30 PID 2572 wrote to memory of 2628 2572 Qaefjm32.exe 31 PID 2572 wrote to memory of 2628 2572 Qaefjm32.exe 31 PID 2572 wrote to memory of 2628 2572 Qaefjm32.exe 31 PID 2572 wrote to memory of 2628 2572 Qaefjm32.exe 31 PID 2628 wrote to memory of 2716 2628 Qdccfh32.exe 32 PID 2628 wrote to memory of 2716 2628 Qdccfh32.exe 32 PID 2628 wrote to memory of 2716 2628 Qdccfh32.exe 32 PID 2628 wrote to memory of 2716 2628 Qdccfh32.exe 32 PID 2716 wrote to memory of 2568 2716 Qljkhe32.exe 33 PID 2716 wrote to memory of 2568 2716 Qljkhe32.exe 33 PID 2716 wrote to memory of 2568 2716 Qljkhe32.exe 33 PID 2716 wrote to memory of 2568 2716 Qljkhe32.exe 33 PID 2568 wrote to memory of 2496 2568 Qjmkcbcb.exe 34 PID 2568 wrote to memory of 2496 2568 Qjmkcbcb.exe 34 PID 2568 wrote to memory of 2496 2568 Qjmkcbcb.exe 34 PID 2568 wrote to memory of 2496 2568 Qjmkcbcb.exe 34 PID 2496 wrote to memory of 3060 2496 Qmlgonbe.exe 35 PID 2496 wrote to memory of 3060 2496 Qmlgonbe.exe 35 PID 2496 wrote to memory of 3060 2496 Qmlgonbe.exe 35 PID 2496 wrote to memory of 3060 2496 Qmlgonbe.exe 35 PID 3060 wrote to memory of 1268 3060 Qagcpljo.exe 36 PID 3060 wrote to memory of 1268 3060 Qagcpljo.exe 36 PID 3060 wrote to memory of 1268 3060 Qagcpljo.exe 36 PID 3060 wrote to memory of 1268 3060 Qagcpljo.exe 36 PID 1268 wrote to memory of 1732 1268 Adeplhib.exe 37 PID 1268 wrote to memory of 1732 1268 Adeplhib.exe 37 PID 1268 wrote to memory of 1732 1268 Adeplhib.exe 37 PID 1268 wrote to memory of 1732 1268 Adeplhib.exe 37 PID 1732 wrote to memory of 1716 1732 Ahakmf32.exe 38 PID 1732 wrote to memory of 1716 1732 Ahakmf32.exe 38 PID 1732 wrote to memory of 1716 1732 Ahakmf32.exe 38 PID 1732 wrote to memory of 1716 1732 Ahakmf32.exe 38 PID 1716 wrote to memory of 1564 1716 Ajphib32.exe 39 PID 1716 wrote to memory of 1564 1716 Ajphib32.exe 39 PID 1716 wrote to memory of 1564 1716 Ajphib32.exe 39 PID 1716 wrote to memory of 1564 1716 Ajphib32.exe 39 PID 1564 wrote to memory of 1512 1564 Ankdiqih.exe 40 PID 1564 wrote to memory of 1512 1564 Ankdiqih.exe 40 PID 1564 wrote to memory of 1512 1564 Ankdiqih.exe 40 PID 1564 wrote to memory of 1512 1564 Ankdiqih.exe 40 PID 1512 wrote to memory of 2836 1512 Aajpelhl.exe 41 PID 1512 wrote to memory of 2836 1512 Aajpelhl.exe 41 PID 1512 wrote to memory of 2836 1512 Aajpelhl.exe 41 PID 1512 wrote to memory of 2836 1512 Aajpelhl.exe 41 PID 2836 wrote to memory of 1168 2836 Adhlaggp.exe 42 PID 2836 wrote to memory of 1168 2836 Adhlaggp.exe 42 PID 2836 wrote to memory of 1168 2836 Adhlaggp.exe 42 PID 2836 wrote to memory of 1168 2836 Adhlaggp.exe 42 PID 1168 wrote to memory of 1228 1168 Ahchbf32.exe 43 PID 1168 wrote to memory of 1228 1168 Ahchbf32.exe 43 PID 1168 wrote to memory of 1228 1168 Ahchbf32.exe 43 PID 1168 wrote to memory of 1228 1168 Ahchbf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\520b0c73ec4ef2ec7f5a25407b5e2dd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe33⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe34⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe35⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe36⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe38⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe42⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe47⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe48⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe57⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe59⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe63⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe65⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe67⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1104 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe69⤵PID:1644
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe70⤵PID:1364
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe72⤵PID:2140
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe73⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe75⤵PID:2520
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe76⤵PID:2932
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe77⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe78⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe79⤵PID:1612
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe80⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe81⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe82⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe83⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe84⤵PID:1840
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe85⤵PID:652
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe86⤵PID:2540
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe87⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe88⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe89⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe91⤵PID:2432
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe92⤵PID:2636
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe93⤵PID:2612
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe94⤵
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe95⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe96⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe97⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe98⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe99⤵PID:1552
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe100⤵PID:1172
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe101⤵PID:1196
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe102⤵PID:2580
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe103⤵PID:2848
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe104⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe107⤵PID:2208
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe110⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe111⤵PID:776
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe112⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe113⤵PID:2900
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe114⤵PID:2600
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe115⤵PID:3032
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe116⤵PID:1624
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe118⤵PID:2156
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe119⤵PID:1652
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe120⤵PID:1236
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-