Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 15:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe
-
Size
72KB
-
MD5
edf90482265a073908e15bf35ef85ea0
-
SHA1
cde39390e04ec72d3670d7a74e50144521a13e4d
-
SHA256
c240e0b622f4c480e25de823468bf284cfed023ebc8c44fe3098d9f90606c9a7
-
SHA512
56a958b09897e0a826742a82a315b83a2e36012598cc6b1ffbbcada7d7bceb5299fd50a929572656a2243c6d52fc2740e7a4c8e0926071f485a82b25b249a81a
-
SSDEEP
768:re45uH9xNA480QgYjyYgiiG/QW7DtG2JaKRGpIxHCaF/1H58NU9UiEb/KEiEixVD:9uH9qhy/VGoIDtGpEGfGbPgUN3QivEtA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjhkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocimgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqalka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnclnihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkdgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjbgnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhjki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe -
Executes dropped EXE 64 IoCs
pid Process 1996 Aiedjneg.exe 2960 Adjigg32.exe 2804 Ambmpmln.exe 2628 Abpfhcje.exe 2632 Aiinen32.exe 2512 Alhjai32.exe 2876 Afmonbqk.exe 2196 Ahokfj32.exe 1512 Bagpopmj.exe 2160 Bingpmnl.exe 1484 Bkodhe32.exe 316 Baildokg.exe 2036 Bhcdaibd.exe 2080 Bommnc32.exe 2056 Bkdmcdoe.exe 596 Banepo32.exe 1712 Bjijdadm.exe 2372 Baqbenep.exe 2000 Ckignd32.exe 1004 Cngcjo32.exe 468 Cdakgibq.exe 1676 Cgpgce32.exe 2112 Cnippoha.exe 2856 Cphlljge.exe 2840 Coklgg32.exe 2932 Cfeddafl.exe 2672 Cpjiajeb.exe 2616 Comimg32.exe 2740 Chemfl32.exe 2636 Claifkkf.exe 2544 Ckdjbh32.exe 2520 Cbnbobin.exe 2356 Cfinoq32.exe 2128 Chhjkl32.exe 1652 Dkhcmgnl.exe 2192 Dodonf32.exe 756 Ddagfm32.exe 1164 Dgodbh32.exe 2764 Ddcdkl32.exe 2536 Dkmmhf32.exe 2308 Djpmccqq.exe 964 Dmoipopd.exe 2556 Ddeaalpg.exe 2340 Dfgmhd32.exe 1156 Dnneja32.exe 2820 Dmafennb.exe 1784 Doobajme.exe 236 Dgfjbgmh.exe 1984 Dfijnd32.exe 1924 Djefobmk.exe 2224 Eqonkmdh.exe 2708 Eqonkmdh.exe 2744 Ecmkghcl.exe 2492 Eflgccbp.exe 2500 Eijcpoac.exe 1960 Emeopn32.exe 2384 Epdkli32.exe 1568 Ebbgid32.exe 1368 Eeqdep32.exe 1600 Emhlfmgj.exe 1576 Epfhbign.exe 916 Enihne32.exe 2776 Ebedndfa.exe 1940 Eecqjpee.exe -
Loads dropped DLL 64 IoCs
pid Process 1852 edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe 1852 edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe 1996 Aiedjneg.exe 1996 Aiedjneg.exe 2960 Adjigg32.exe 2960 Adjigg32.exe 2804 Ambmpmln.exe 2804 Ambmpmln.exe 2628 Abpfhcje.exe 2628 Abpfhcje.exe 2632 Aiinen32.exe 2632 Aiinen32.exe 2512 Alhjai32.exe 2512 Alhjai32.exe 2876 Afmonbqk.exe 2876 Afmonbqk.exe 2196 Ahokfj32.exe 2196 Ahokfj32.exe 1512 Bagpopmj.exe 1512 Bagpopmj.exe 2160 Bingpmnl.exe 2160 Bingpmnl.exe 1484 Bkodhe32.exe 1484 Bkodhe32.exe 316 Baildokg.exe 316 Baildokg.exe 2036 Bhcdaibd.exe 2036 Bhcdaibd.exe 2080 Bommnc32.exe 2080 Bommnc32.exe 2056 Bkdmcdoe.exe 2056 Bkdmcdoe.exe 596 Banepo32.exe 596 Banepo32.exe 1712 Bjijdadm.exe 1712 Bjijdadm.exe 2372 Baqbenep.exe 2372 Baqbenep.exe 2000 Ckignd32.exe 2000 Ckignd32.exe 1004 Cngcjo32.exe 1004 Cngcjo32.exe 468 Cdakgibq.exe 468 Cdakgibq.exe 1676 Cgpgce32.exe 1676 Cgpgce32.exe 2112 Cnippoha.exe 2112 Cnippoha.exe 2856 Cphlljge.exe 2856 Cphlljge.exe 2840 Coklgg32.exe 2840 Coklgg32.exe 2932 Cfeddafl.exe 2932 Cfeddafl.exe 2672 Cpjiajeb.exe 2672 Cpjiajeb.exe 2616 Comimg32.exe 2616 Comimg32.exe 2740 Chemfl32.exe 2740 Chemfl32.exe 2636 Claifkkf.exe 2636 Claifkkf.exe 2544 Ckdjbh32.exe 2544 Ckdjbh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cgllco32.dll Ejmebq32.exe File created C:\Windows\SysWOW64\Lpbefoai.exe Lmcijcbe.exe File created C:\Windows\SysWOW64\Bpleef32.exe Biamilfj.exe File opened for modification C:\Windows\SysWOW64\Mmfbogcn.exe Mijfnh32.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mijfnh32.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Oqideepg.exe File created C:\Windows\SysWOW64\Pgplkb32.exe Pdaoog32.exe File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pklhlael.exe File opened for modification C:\Windows\SysWOW64\Pciifc32.exe Pefijfii.exe File created C:\Windows\SysWOW64\Bleago32.dll Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Jkbcln32.exe Jmocpado.exe File created C:\Windows\SysWOW64\Ckccgane.exe Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Biicik32.exe Baakhm32.exe File opened for modification C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Bdeeqehb.exe Bafidiio.exe File created C:\Windows\SysWOW64\Akigbbni.dll Cdlgpgef.exe File created C:\Windows\SysWOW64\Dpelbgel.dll Jjpcbe32.exe File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe Ebbgid32.exe File created C:\Windows\SysWOW64\Igdogl32.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Niebhf32.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bjlqhoba.exe File created C:\Windows\SysWOW64\Eqgnokip.exe Emkaol32.exe File created C:\Windows\SysWOW64\Ilpedi32.dll Bhkdeggl.exe File created C:\Windows\SysWOW64\Fihicd32.dll Gakcimgf.exe File opened for modification C:\Windows\SysWOW64\Hoopae32.exe Hkcdafqb.exe File created C:\Windows\SysWOW64\Nafmbhpm.dll Jcjdpj32.exe File opened for modification C:\Windows\SysWOW64\Adjigg32.exe Aiedjneg.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Alnqqd32.exe Aipddi32.exe File created C:\Windows\SysWOW64\Idnmhkin.dll Hapicp32.exe File created C:\Windows\SysWOW64\Labkdack.exe Lndohedg.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Eeempocb.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Enkece32.exe File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File opened for modification C:\Windows\SysWOW64\Ckdjbh32.exe Claifkkf.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cfinoq32.exe File opened for modification C:\Windows\SysWOW64\Jgcdki32.exe Jdehon32.exe File created C:\Windows\SysWOW64\Melfncqb.exe Mapjmehi.exe File created C:\Windows\SysWOW64\Qpgpkcpp.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Fehofegb.dll Alnqqd32.exe File created C:\Windows\SysWOW64\Ealnephf.exe Ebinic32.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gldkfl32.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Fdlhfbqi.dll Bldcpf32.exe File created C:\Windows\SysWOW64\Hhehek32.exe Heglio32.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Icjhagdp.exe File created C:\Windows\SysWOW64\Keledb32.dll Cfinoq32.exe File opened for modification C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Jgagfi32.exe Jqgoiokm.exe File opened for modification C:\Windows\SysWOW64\Ikbgmj32.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Oacima32.dll Mmceigep.exe File created C:\Windows\SysWOW64\Ppnidgoj.dll Fbopgb32.exe File created C:\Windows\SysWOW64\Anapbp32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Banepo32.exe Bkdmcdoe.exe File created C:\Windows\SysWOW64\Dkmmhf32.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Lldlqakb.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7076 7024 WerFault.exe 669 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipllekdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmddnil.dll" Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikojfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiepfgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Effcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giieco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipgbjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bocolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fidoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkklljmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpmccqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklemhne.dll" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mabgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" Ddcdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfefiemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hdnepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmehnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgjljo.dll" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqahbgm.dll" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Ngibaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmfoi32.dll" Jbllihbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddigjkid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamimc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll" Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpelbgel.dll" Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icbimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1996 1852 edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe 28 PID 1852 wrote to memory of 1996 1852 edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe 28 PID 1852 wrote to memory of 1996 1852 edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe 28 PID 1852 wrote to memory of 1996 1852 edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe 28 PID 1996 wrote to memory of 2960 1996 Aiedjneg.exe 29 PID 1996 wrote to memory of 2960 1996 Aiedjneg.exe 29 PID 1996 wrote to memory of 2960 1996 Aiedjneg.exe 29 PID 1996 wrote to memory of 2960 1996 Aiedjneg.exe 29 PID 2960 wrote to memory of 2804 2960 Adjigg32.exe 30 PID 2960 wrote to memory of 2804 2960 Adjigg32.exe 30 PID 2960 wrote to memory of 2804 2960 Adjigg32.exe 30 PID 2960 wrote to memory of 2804 2960 Adjigg32.exe 30 PID 2804 wrote to memory of 2628 2804 Ambmpmln.exe 31 PID 2804 wrote to memory of 2628 2804 Ambmpmln.exe 31 PID 2804 wrote to memory of 2628 2804 Ambmpmln.exe 31 PID 2804 wrote to memory of 2628 2804 Ambmpmln.exe 31 PID 2628 wrote to memory of 2632 2628 Abpfhcje.exe 32 PID 2628 wrote to memory of 2632 2628 Abpfhcje.exe 32 PID 2628 wrote to memory of 2632 2628 Abpfhcje.exe 32 PID 2628 wrote to memory of 2632 2628 Abpfhcje.exe 32 PID 2632 wrote to memory of 2512 2632 Aiinen32.exe 33 PID 2632 wrote to memory of 2512 2632 Aiinen32.exe 33 PID 2632 wrote to memory of 2512 2632 Aiinen32.exe 33 PID 2632 wrote to memory of 2512 2632 Aiinen32.exe 33 PID 2512 wrote to memory of 2876 2512 Alhjai32.exe 34 PID 2512 wrote to memory of 2876 2512 Alhjai32.exe 34 PID 2512 wrote to memory of 2876 2512 Alhjai32.exe 34 PID 2512 wrote to memory of 2876 2512 Alhjai32.exe 34 PID 2876 wrote to memory of 2196 2876 Afmonbqk.exe 35 PID 2876 wrote to memory of 2196 2876 Afmonbqk.exe 35 PID 2876 wrote to memory of 2196 2876 Afmonbqk.exe 35 PID 2876 wrote to memory of 2196 2876 Afmonbqk.exe 35 PID 2196 wrote to memory of 1512 2196 Ahokfj32.exe 36 PID 2196 wrote to memory of 1512 2196 Ahokfj32.exe 36 PID 2196 wrote to memory of 1512 2196 Ahokfj32.exe 36 PID 2196 wrote to memory of 1512 2196 Ahokfj32.exe 36 PID 1512 wrote to memory of 2160 1512 Bagpopmj.exe 37 PID 1512 wrote to memory of 2160 1512 Bagpopmj.exe 37 PID 1512 wrote to memory of 2160 1512 Bagpopmj.exe 37 PID 1512 wrote to memory of 2160 1512 Bagpopmj.exe 37 PID 2160 wrote to memory of 1484 2160 Bingpmnl.exe 38 PID 2160 wrote to memory of 1484 2160 Bingpmnl.exe 38 PID 2160 wrote to memory of 1484 2160 Bingpmnl.exe 38 PID 2160 wrote to memory of 1484 2160 Bingpmnl.exe 38 PID 1484 wrote to memory of 316 1484 Bkodhe32.exe 39 PID 1484 wrote to memory of 316 1484 Bkodhe32.exe 39 PID 1484 wrote to memory of 316 1484 Bkodhe32.exe 39 PID 1484 wrote to memory of 316 1484 Bkodhe32.exe 39 PID 316 wrote to memory of 2036 316 Baildokg.exe 40 PID 316 wrote to memory of 2036 316 Baildokg.exe 40 PID 316 wrote to memory of 2036 316 Baildokg.exe 40 PID 316 wrote to memory of 2036 316 Baildokg.exe 40 PID 2036 wrote to memory of 2080 2036 Bhcdaibd.exe 41 PID 2036 wrote to memory of 2080 2036 Bhcdaibd.exe 41 PID 2036 wrote to memory of 2080 2036 Bhcdaibd.exe 41 PID 2036 wrote to memory of 2080 2036 Bhcdaibd.exe 41 PID 2080 wrote to memory of 2056 2080 Bommnc32.exe 42 PID 2080 wrote to memory of 2056 2080 Bommnc32.exe 42 PID 2080 wrote to memory of 2056 2080 Bommnc32.exe 42 PID 2080 wrote to memory of 2056 2080 Bommnc32.exe 42 PID 2056 wrote to memory of 596 2056 Bkdmcdoe.exe 43 PID 2056 wrote to memory of 596 2056 Bkdmcdoe.exe 43 PID 2056 wrote to memory of 596 2056 Bkdmcdoe.exe 43 PID 2056 wrote to memory of 596 2056 Bkdmcdoe.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:468 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe33⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe35⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe37⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe44⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe45⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe47⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe49⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe50⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe51⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe52⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe54⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe57⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe58⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe60⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe61⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe62⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe63⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe64⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe65⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe66⤵PID:2284
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe67⤵
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe68⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe69⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe70⤵PID:1524
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe71⤵PID:936
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe72⤵PID:1928
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe73⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe74⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe75⤵PID:2716
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe76⤵PID:2496
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe77⤵PID:2480
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe78⤵PID:1556
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe79⤵PID:696
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe80⤵PID:1632
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe81⤵PID:1448
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe82⤵PID:2044
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe83⤵PID:844
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe84⤵PID:2296
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe86⤵PID:2316
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe88⤵PID:1104
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe89⤵PID:1296
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe90⤵PID:992
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe91⤵PID:2212
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe92⤵PID:2668
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe93⤵PID:2572
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe94⤵PID:2700
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe95⤵PID:2524
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe96⤵
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe97⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe98⤵PID:2168
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe99⤵
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe100⤵PID:2884
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe101⤵PID:2344
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe102⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe103⤵PID:1264
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe104⤵PID:2336
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe105⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe106⤵PID:2988
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe107⤵PID:2612
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe109⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe110⤵PID:2540
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe111⤵PID:1424
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe112⤵PID:2164
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe113⤵PID:2364
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe114⤵PID:2328
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe115⤵PID:2352
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe116⤵PID:1408
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe117⤵PID:2108
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe118⤵PID:280
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe119⤵PID:2900
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe120⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe121⤵PID:2684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-