Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 20:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe
-
Size
551KB
-
MD5
2f4993563818cea816e8ac559ed6ba38
-
SHA1
1541e38bb3b6844992d98a22eaaebf889460e7e3
-
SHA256
b980bb129c70a425dcb7a02ac91db1ce49af744ef9f35f00d8916c37c298f032
-
SHA512
64adce0373b9308db1fed4f40bd69fcb449277e15c3c02a322bf18c68d0f2c90930c694603df4e1404cb80b9cc5687bf984428e5c533e50d4ad0ba3169c7f393
-
SSDEEP
6144:flLQNw5CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDj9GQeqV05CPXbo92ynnZlVS:f9FHRFbe2GQuFHRFbeN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnlecmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcpclbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpleig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgoeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkeclfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffddka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkffog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhldnkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedgjgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhoae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjhcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmmjbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmdecbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhnaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgihaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncianepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflohaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docmgjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgbgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edopabqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejflhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgged32.exe -
Executes dropped EXE 64 IoCs
pid Process 1012 Obfhba32.exe 2960 Obidhaog.exe 1504 Pcjapi32.exe 1752 Pclneicb.exe 456 Pnbbbabh.exe 1688 Pndohaqe.exe 660 Pabkdmpi.exe 5012 Pkhoae32.exe 2608 Pnfkma32.exe 1996 Paegjl32.exe 8 Qbgqio32.exe 2432 Acjjfggb.exe 3680 Aanjpk32.exe 3308 Ahhblemi.exe 2684 Ahkobekf.exe 3032 Aacckjaf.exe 4052 Adapgfqj.exe 724 Ahoimd32.exe 1416 Ajneip32.exe 1652 Blmacb32.exe 1132 Beeflhdh.exe 3964 Bdkcmdhp.exe 4812 Blbknaib.exe 1624 Baaplhef.exe 4696 Bkidenlg.exe 932 Cbqlfkmi.exe 1084 Cafigg32.exe 4184 Cojjqlpk.exe 3972 Cbgbgj32.exe 4356 Cbjoljdo.exe 4292 Clbceo32.exe 556 Docmgjhp.exe 3908 Demecd32.exe 3616 Doeiljfn.exe 3684 Deoaid32.exe 2288 Dhnnep32.exe 2516 Dkljak32.exe 1412 Dohfbj32.exe 3344 Deanodkh.exe 2944 Dllfkn32.exe 2580 Dedkdcie.exe 3260 Ddgkpp32.exe 2728 Eolpmi32.exe 3188 Edihepnm.exe 4528 Ecjhcg32.exe 2200 Eeidoc32.exe 2364 Elbmlmml.exe 3960 Ecmeig32.exe 3300 Ednaqo32.exe 3664 Eleiam32.exe 808 Eabbjc32.exe 632 Edpnfo32.exe 1468 Elgfgl32.exe 2152 Ecandfpd.exe 2336 Edbklofb.exe 4448 Fljcmlfd.exe 1560 Fafkecel.exe 2108 Fdegandp.exe 3584 Fojlngce.exe 5044 Ffddka32.exe 5008 Fkalchij.exe 4416 Ffgqqaip.exe 396 Flqimk32.exe 392 Fooeif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe Jklinohd.exe File opened for modification C:\Windows\SysWOW64\Mjjkaabc.exe Mcpcdg32.exe File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe Ajfhnjhq.exe File created C:\Windows\SysWOW64\Ioenpjfm.dll Bjbfklei.exe File created C:\Windows\SysWOW64\Mmjmhg32.dll Camddhoi.exe File created C:\Windows\SysWOW64\Ejhdfi32.dll Imiehfao.exe File opened for modification C:\Windows\SysWOW64\Mifljdjo.exe Mblcnj32.exe File created C:\Windows\SysWOW64\Lgccinoe.exe Lddgmbpb.exe File opened for modification C:\Windows\SysWOW64\Aopemh32.exe Process not Found File created C:\Windows\SysWOW64\Bknlbhhe.exe Process not Found File created C:\Windows\SysWOW64\Icifbang.exe Iicbehnq.exe File opened for modification C:\Windows\SysWOW64\Nedjjj32.exe Nojanpej.exe File created C:\Windows\SysWOW64\Lpjjmg32.exe Process not Found File created C:\Windows\SysWOW64\Lhnblp32.dll Fjhacf32.exe File created C:\Windows\SysWOW64\Igbalblk.exe Injmcmej.exe File opened for modification C:\Windows\SysWOW64\Jjgchm32.exe Icnklbmj.exe File created C:\Windows\SysWOW64\Ajfhnjhq.exe Aclpap32.exe File created C:\Windows\SysWOW64\Djfkblnn.dll Hhbkinel.exe File created C:\Windows\SysWOW64\Biafno32.dll Process not Found File created C:\Windows\SysWOW64\Gapbdjgd.dll Haafcb32.exe File opened for modification C:\Windows\SysWOW64\Nbefdijg.exe Nlkngo32.exe File opened for modification C:\Windows\SysWOW64\Gklnjj32.exe Gdafnpqh.exe File created C:\Windows\SysWOW64\Pjmjdm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gokdeeec.exe Gmlhii32.exe File created C:\Windows\SysWOW64\Ogcggo32.dll Mhppji32.exe File opened for modification C:\Windows\SysWOW64\Kinmcg32.exe Kbddfmgl.exe File created C:\Windows\SysWOW64\Pkogiikb.exe Ohpkmn32.exe File created C:\Windows\SysWOW64\Mockmala.exe Mhicpg32.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Eciplm32.exe File opened for modification C:\Windows\SysWOW64\Oodcdb32.exe Ohkkhhmh.exe File opened for modification C:\Windows\SysWOW64\Docmgjhp.exe Clbceo32.exe File created C:\Windows\SysWOW64\Eobocb32.exe Eglgbdep.exe File created C:\Windows\SysWOW64\Eciplm32.exe Elbhjp32.exe File created C:\Windows\SysWOW64\Oflmnh32.exe Process not Found File created C:\Windows\SysWOW64\Kcnmgane.dll Eolhbc32.exe File created C:\Windows\SysWOW64\Onpjichj.exe Ohfami32.exe File created C:\Windows\SysWOW64\Pmikmcgp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Process not Found File created C:\Windows\SysWOW64\Chempj32.dll Qmkadgpo.exe File created C:\Windows\SysWOW64\Akmfnc32.dll Agoabn32.exe File created C:\Windows\SysWOW64\Oipoad32.dll Bjodjb32.exe File opened for modification C:\Windows\SysWOW64\Chlflabp.exe Cfnjpfcl.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Process not Found File created C:\Windows\SysWOW64\Dojpmiij.dll Process not Found File created C:\Windows\SysWOW64\Njciko32.exe Ncianepl.exe File created C:\Windows\SysWOW64\Molelb32.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Jdpkflfe.exe Jnfcia32.exe File created C:\Windows\SysWOW64\Lhhmmcaa.dll Cihclh32.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Nnicid32.exe File created C:\Windows\SysWOW64\Kbjodaqj.dll Fiaael32.exe File created C:\Windows\SysWOW64\Jgbfjmkq.dll Process not Found File created C:\Windows\SysWOW64\Echegpbb.dll Afmhck32.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Llgmeiqa.dll Mchppmij.exe File created C:\Windows\SysWOW64\Olicnfco.exe Oacoqnci.exe File created C:\Windows\SysWOW64\Fidafj32.dll Emhldnkj.exe File opened for modification C:\Windows\SysWOW64\Nlnbgddc.exe Nedjjj32.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Qkipkani.exe File opened for modification C:\Windows\SysWOW64\Bmhocd32.exe Process not Found File created C:\Windows\SysWOW64\Mmpijp32.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Knkekn32.exe Kkmioc32.exe File created C:\Windows\SysWOW64\Afeknhab.dll Hmpcbhji.exe File created C:\Windows\SysWOW64\Klbnajqc.exe Process not Found File created C:\Windows\SysWOW64\Eoefilfc.dll Aflaie32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13052 12220 Process not Found 1390 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmepn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekmhejao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggbook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjcnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoogfnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpehof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlapjeg.dll" Jhndljll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akglloai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhppji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfillg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodlgn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icbcjhfb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihgnkkbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Legjmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njkkbehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfhfd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhicpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnkfijp.dll" Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakdmb32.dll" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmncpmp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehkclgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadpldgf.dll" Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdomhkp.dll" Acpbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoigbgj.dll" Injmcmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpihhpj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll" Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcflijmh.dll" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjfkopm.dll" Fhgjblfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll" Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmofagfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3528 wrote to memory of 1012 3528 2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe 84 PID 3528 wrote to memory of 1012 3528 2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe 84 PID 3528 wrote to memory of 1012 3528 2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe 84 PID 1012 wrote to memory of 2960 1012 Obfhba32.exe 85 PID 1012 wrote to memory of 2960 1012 Obfhba32.exe 85 PID 1012 wrote to memory of 2960 1012 Obfhba32.exe 85 PID 2960 wrote to memory of 1504 2960 Obidhaog.exe 86 PID 2960 wrote to memory of 1504 2960 Obidhaog.exe 86 PID 2960 wrote to memory of 1504 2960 Obidhaog.exe 86 PID 1504 wrote to memory of 1752 1504 Pcjapi32.exe 87 PID 1504 wrote to memory of 1752 1504 Pcjapi32.exe 87 PID 1504 wrote to memory of 1752 1504 Pcjapi32.exe 87 PID 1752 wrote to memory of 456 1752 Pclneicb.exe 89 PID 1752 wrote to memory of 456 1752 Pclneicb.exe 89 PID 1752 wrote to memory of 456 1752 Pclneicb.exe 89 PID 456 wrote to memory of 1688 456 Pnbbbabh.exe 90 PID 456 wrote to memory of 1688 456 Pnbbbabh.exe 90 PID 456 wrote to memory of 1688 456 Pnbbbabh.exe 90 PID 1688 wrote to memory of 660 1688 Pndohaqe.exe 91 PID 1688 wrote to memory of 660 1688 Pndohaqe.exe 91 PID 1688 wrote to memory of 660 1688 Pndohaqe.exe 91 PID 660 wrote to memory of 5012 660 Pabkdmpi.exe 92 PID 660 wrote to memory of 5012 660 Pabkdmpi.exe 92 PID 660 wrote to memory of 5012 660 Pabkdmpi.exe 92 PID 5012 wrote to memory of 2608 5012 Pkhoae32.exe 94 PID 5012 wrote to memory of 2608 5012 Pkhoae32.exe 94 PID 5012 wrote to memory of 2608 5012 Pkhoae32.exe 94 PID 2608 wrote to memory of 1996 2608 Pnfkma32.exe 95 PID 2608 wrote to memory of 1996 2608 Pnfkma32.exe 95 PID 2608 wrote to memory of 1996 2608 Pnfkma32.exe 95 PID 1996 wrote to memory of 8 1996 Paegjl32.exe 96 PID 1996 wrote to memory of 8 1996 Paegjl32.exe 96 PID 1996 wrote to memory of 8 1996 Paegjl32.exe 96 PID 8 wrote to memory of 2432 8 Qbgqio32.exe 97 PID 8 wrote to memory of 2432 8 Qbgqio32.exe 97 PID 8 wrote to memory of 2432 8 Qbgqio32.exe 97 PID 2432 wrote to memory of 3680 2432 Acjjfggb.exe 98 PID 2432 wrote to memory of 3680 2432 Acjjfggb.exe 98 PID 2432 wrote to memory of 3680 2432 Acjjfggb.exe 98 PID 3680 wrote to memory of 3308 3680 Aanjpk32.exe 100 PID 3680 wrote to memory of 3308 3680 Aanjpk32.exe 100 PID 3680 wrote to memory of 3308 3680 Aanjpk32.exe 100 PID 3308 wrote to memory of 2684 3308 Ahhblemi.exe 101 PID 3308 wrote to memory of 2684 3308 Ahhblemi.exe 101 PID 3308 wrote to memory of 2684 3308 Ahhblemi.exe 101 PID 2684 wrote to memory of 3032 2684 Ahkobekf.exe 102 PID 2684 wrote to memory of 3032 2684 Ahkobekf.exe 102 PID 2684 wrote to memory of 3032 2684 Ahkobekf.exe 102 PID 3032 wrote to memory of 4052 3032 Aacckjaf.exe 103 PID 3032 wrote to memory of 4052 3032 Aacckjaf.exe 103 PID 3032 wrote to memory of 4052 3032 Aacckjaf.exe 103 PID 4052 wrote to memory of 724 4052 Adapgfqj.exe 104 PID 4052 wrote to memory of 724 4052 Adapgfqj.exe 104 PID 4052 wrote to memory of 724 4052 Adapgfqj.exe 104 PID 724 wrote to memory of 1416 724 Ahoimd32.exe 105 PID 724 wrote to memory of 1416 724 Ahoimd32.exe 105 PID 724 wrote to memory of 1416 724 Ahoimd32.exe 105 PID 1416 wrote to memory of 1652 1416 Ajneip32.exe 106 PID 1416 wrote to memory of 1652 1416 Ajneip32.exe 106 PID 1416 wrote to memory of 1652 1416 Ajneip32.exe 106 PID 1652 wrote to memory of 1132 1652 Blmacb32.exe 107 PID 1652 wrote to memory of 1132 1652 Blmacb32.exe 107 PID 1652 wrote to memory of 1132 1652 Blmacb32.exe 107 PID 1132 wrote to memory of 3964 1132 Beeflhdh.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2f4993563818cea816e8ac559ed6ba38_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe23⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe24⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe25⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe26⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe27⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe28⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe29⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe31⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe34⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe35⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe36⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe37⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe38⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe39⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe40⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe41⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe42⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe43⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe45⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe47⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe48⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe49⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe50⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe51⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe52⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe53⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe54⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe55⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe56⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe57⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe58⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe59⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe60⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe62⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe63⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe64⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe65⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe66⤵PID:1404
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe67⤵
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe69⤵PID:3080
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe70⤵PID:4276
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe71⤵PID:1704
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe72⤵PID:4608
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe73⤵PID:4072
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe74⤵PID:4640
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe75⤵PID:3612
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe76⤵PID:1828
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe77⤵PID:1000
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe78⤵PID:1252
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe79⤵
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe80⤵PID:2064
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe81⤵PID:2216
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe82⤵PID:1960
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe83⤵PID:624
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe84⤵PID:5136
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe85⤵PID:5180
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe86⤵PID:5224
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe87⤵PID:5272
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe88⤵PID:5316
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe89⤵PID:5352
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe90⤵PID:5396
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5440 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe92⤵PID:5484
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe93⤵PID:5528
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe94⤵PID:5572
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe95⤵PID:5612
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe96⤵PID:5660
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe97⤵PID:5704
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe99⤵PID:5796
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe100⤵PID:5836
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe101⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe102⤵PID:5920
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe103⤵PID:5964
-
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe104⤵PID:6008
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe105⤵PID:6052
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe106⤵PID:6096
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe107⤵PID:6140
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe108⤵PID:5164
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe109⤵PID:5240
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe110⤵PID:5300
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe111⤵PID:5384
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe112⤵PID:5452
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe113⤵PID:5520
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe114⤵PID:5608
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe115⤵PID:5700
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe116⤵PID:5732
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe117⤵PID:5828
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe119⤵PID:5972
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe120⤵PID:6036
-
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe121⤵PID:1500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-