Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 09:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe
-
Size
448KB
-
MD5
a4581f93ef20bf296b664255a86f3142
-
SHA1
650d41470e5273849f59cb4cd763240fefb6740d
-
SHA256
1ff3454925beee36d8f19726b3a1ee63fe2c1e0348ab071a749a8eb624e1f4c2
-
SHA512
f431db3d3775de48c6bdf13312321b067eddee767abffbf3a9eb9d5a925d7a8f2b28ef45d4cdf654f4326b377fad740e2d96704f13e3647e2f28a75c889db670
-
SSDEEP
6144:ltkpYYv626s21L7/s50z/Wa3/PNlP59ENQdgrb8X6SJqGaPonZh/nr0xuIKjyAHM:llYvE705kWM/9J6gqGBf/sAHZHbgdhgi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfffqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcahhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnojlpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmibdlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgggf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmiij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibajhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdnkb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1252 Kfmhol32.exe 2884 Kcahhq32.exe 2636 Kmimafop.exe 2680 Kipnfged.exe 2528 Kpjfba32.exe 2444 Klqfhbbe.exe 2896 Kdlkld32.exe 1632 Lmdpejfq.exe 2764 Lkhpnnej.exe 1864 Lpeifeca.exe 2192 Lhlqhb32.exe 2908 Limmokib.exe 1532 Lgdjnofi.exe 2096 Lefkjkmc.exe 1156 Mcjkcplm.exe 540 Maphdl32.exe 588 Mabejlob.exe 1380 Mlgigdoh.exe 2404 Madapkmp.exe 1268 Mdcnlglc.exe 760 Mpjoqhah.exe 2036 Mkobnqan.exe 2848 Nnnojlpa.exe 1908 Ndgggf32.exe 1404 Ngfcca32.exe 1708 Nnplpl32.exe 2716 Npnhlg32.exe 2660 Nghphaeo.exe 2544 Njgldmdc.exe 2736 Nocemcbj.exe 2360 Nlgefh32.exe 2488 Ncancbha.exe 2368 Nohnhc32.exe 1052 Nccjhafn.exe 2768 Ohqbqhde.exe 2004 Oojknblb.exe 2164 Odgcfijj.exe 472 Ogfpbeim.exe 2200 Oomhcbjp.exe 1976 Oqndkj32.exe 2268 Oiellh32.exe 2256 Ojficpfn.exe 2820 Obnqem32.exe 488 Oelmai32.exe 2980 Okfencna.exe 1860 Ojieip32.exe 1048 Omgaek32.exe 3004 Oenifh32.exe 2052 Ofpfnqjp.exe 2084 Ojkboo32.exe 1256 Pphjgfqq.exe 1060 Pfbccp32.exe 2580 Pipopl32.exe 2628 Paggai32.exe 2092 Ppjglfon.exe 2608 Pbiciana.exe 2452 Pjpkjond.exe 340 Pmnhfjmg.exe 2756 Pchpbded.exe 2336 Pbkpna32.exe 1700 Peiljl32.exe 1548 Pmqdkj32.exe 1592 Pnbacbac.exe 2420 Pelipl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe 2220 a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe 1252 Kfmhol32.exe 1252 Kfmhol32.exe 2884 Kcahhq32.exe 2884 Kcahhq32.exe 2636 Kmimafop.exe 2636 Kmimafop.exe 2680 Kipnfged.exe 2680 Kipnfged.exe 2528 Kpjfba32.exe 2528 Kpjfba32.exe 2444 Klqfhbbe.exe 2444 Klqfhbbe.exe 2896 Kdlkld32.exe 2896 Kdlkld32.exe 1632 Lmdpejfq.exe 1632 Lmdpejfq.exe 2764 Lkhpnnej.exe 2764 Lkhpnnej.exe 1864 Lpeifeca.exe 1864 Lpeifeca.exe 2192 Lhlqhb32.exe 2192 Lhlqhb32.exe 2908 Limmokib.exe 2908 Limmokib.exe 1532 Lgdjnofi.exe 1532 Lgdjnofi.exe 2096 Lefkjkmc.exe 2096 Lefkjkmc.exe 1156 Mcjkcplm.exe 1156 Mcjkcplm.exe 540 Maphdl32.exe 540 Maphdl32.exe 588 Mabejlob.exe 588 Mabejlob.exe 1380 Mlgigdoh.exe 1380 Mlgigdoh.exe 2404 Madapkmp.exe 2404 Madapkmp.exe 1268 Mdcnlglc.exe 1268 Mdcnlglc.exe 760 Mpjoqhah.exe 760 Mpjoqhah.exe 2036 Mkobnqan.exe 2036 Mkobnqan.exe 2848 Nnnojlpa.exe 2848 Nnnojlpa.exe 1908 Ndgggf32.exe 1908 Ndgggf32.exe 1404 Ngfcca32.exe 1404 Ngfcca32.exe 1708 Nnplpl32.exe 1708 Nnplpl32.exe 2716 Npnhlg32.exe 2716 Npnhlg32.exe 2660 Nghphaeo.exe 2660 Nghphaeo.exe 2544 Njgldmdc.exe 2544 Njgldmdc.exe 2736 Nocemcbj.exe 2736 Nocemcbj.exe 2360 Nlgefh32.exe 2360 Nlgefh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Nialog32.exe Najdnj32.exe File opened for modification C:\Windows\SysWOW64\Pjadmnic.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Dhekfh32.dll Ampqjm32.exe File opened for modification C:\Windows\SysWOW64\Emeopn32.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Iiiaeiac.dll Lpeifeca.exe File created C:\Windows\SysWOW64\Acjgoa32.dll Lhlqhb32.exe File opened for modification C:\Windows\SysWOW64\Ifcbodli.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mpdnkb32.exe File opened for modification C:\Windows\SysWOW64\Nkiogn32.exe Npdjje32.exe File created C:\Windows\SysWOW64\Miikgeea.dll Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Oqideepg.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Lhlqhb32.exe Lpeifeca.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Cfeddafl.exe Cphlljge.exe File created C:\Windows\SysWOW64\Jfekcg32.exe Jkpgfn32.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kafbec32.exe File created C:\Windows\SysWOW64\Clkmne32.dll Fjaonpnn.exe File created C:\Windows\SysWOW64\Ojieip32.exe Okfencna.exe File opened for modification C:\Windows\SysWOW64\Peiljl32.exe Pbkpna32.exe File created C:\Windows\SysWOW64\Iggkllpe.exe Iqmcpahh.exe File created C:\Windows\SysWOW64\Affcmdmb.dll Eplkpgnh.exe File opened for modification C:\Windows\SysWOW64\Oojknblb.exe Ohqbqhde.exe File created C:\Windows\SysWOW64\Pnbacbac.exe Pmqdkj32.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Afohaa32.exe File created C:\Windows\SysWOW64\Dhnmij32.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Enihne32.exe File created C:\Windows\SysWOW64\Qkophk32.dll Mihiih32.exe File opened for modification C:\Windows\SysWOW64\Ckjpacfp.exe Biicik32.exe File created C:\Windows\SysWOW64\Lpeifeca.exe Lkhpnnej.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qlkdkd32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Egamfkdh.exe File opened for modification C:\Windows\SysWOW64\Hcnpbi32.exe Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Kafbec32.exe Keoapb32.exe File created C:\Windows\SysWOW64\Pmnafl32.dll Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Ojkboo32.exe Ofpfnqjp.exe File created C:\Windows\SysWOW64\Gfegkapd.dll Pchpbded.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Lkncmmle.exe File opened for modification C:\Windows\SysWOW64\Clilkfnb.exe Ceodnl32.exe File opened for modification C:\Windows\SysWOW64\Maphdl32.exe Mcjkcplm.exe File created C:\Windows\SysWOW64\Ajphib32.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Ajdplfmo.dll Alegac32.exe File created C:\Windows\SysWOW64\Afohaa32.exe Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Djbiicon.exe Ddeaalpg.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Maphhihi.dll Eilpeooq.exe File created C:\Windows\SysWOW64\Kcihlong.exe Kmopod32.exe File created C:\Windows\SysWOW64\Onhgbmfb.exe Okikfagn.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pclfkc32.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Bpgljfbl.exe File opened for modification C:\Windows\SysWOW64\Oelmai32.exe Obnqem32.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Ampehe32.dll Egoife32.exe File opened for modification C:\Windows\SysWOW64\Pchpbded.exe Pmnhfjmg.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Jofiln32.exe Jnemdecl.exe File created C:\Windows\SysWOW64\Aagancdj.dll Lihmjejl.exe File created C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Enhacojl.exe File opened for modification C:\Windows\SysWOW64\Mkobnqan.exe Mpjoqhah.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4844 4728 WerFault.exe 430 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjlmdgj.dll" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiiaeiac.dll" Lpeifeca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfegkapd.dll" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najdnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagancdj.dll" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhepm32.dll" Nnplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hodpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdgnl32.dll" Njgldmdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbqhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhllhfdh.dll" Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefbii32.dll" Lkncmmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkima32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbiciana.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpbaebdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckblig32.dll" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhaff32.dll" Peiljl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkcbgek.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1252 2220 a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1252 2220 a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1252 2220 a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1252 2220 a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 2884 1252 Kfmhol32.exe 29 PID 1252 wrote to memory of 2884 1252 Kfmhol32.exe 29 PID 1252 wrote to memory of 2884 1252 Kfmhol32.exe 29 PID 1252 wrote to memory of 2884 1252 Kfmhol32.exe 29 PID 2884 wrote to memory of 2636 2884 Kcahhq32.exe 30 PID 2884 wrote to memory of 2636 2884 Kcahhq32.exe 30 PID 2884 wrote to memory of 2636 2884 Kcahhq32.exe 30 PID 2884 wrote to memory of 2636 2884 Kcahhq32.exe 30 PID 2636 wrote to memory of 2680 2636 Kmimafop.exe 31 PID 2636 wrote to memory of 2680 2636 Kmimafop.exe 31 PID 2636 wrote to memory of 2680 2636 Kmimafop.exe 31 PID 2636 wrote to memory of 2680 2636 Kmimafop.exe 31 PID 2680 wrote to memory of 2528 2680 Kipnfged.exe 32 PID 2680 wrote to memory of 2528 2680 Kipnfged.exe 32 PID 2680 wrote to memory of 2528 2680 Kipnfged.exe 32 PID 2680 wrote to memory of 2528 2680 Kipnfged.exe 32 PID 2528 wrote to memory of 2444 2528 Kpjfba32.exe 33 PID 2528 wrote to memory of 2444 2528 Kpjfba32.exe 33 PID 2528 wrote to memory of 2444 2528 Kpjfba32.exe 33 PID 2528 wrote to memory of 2444 2528 Kpjfba32.exe 33 PID 2444 wrote to memory of 2896 2444 Klqfhbbe.exe 34 PID 2444 wrote to memory of 2896 2444 Klqfhbbe.exe 34 PID 2444 wrote to memory of 2896 2444 Klqfhbbe.exe 34 PID 2444 wrote to memory of 2896 2444 Klqfhbbe.exe 34 PID 2896 wrote to memory of 1632 2896 Kdlkld32.exe 35 PID 2896 wrote to memory of 1632 2896 Kdlkld32.exe 35 PID 2896 wrote to memory of 1632 2896 Kdlkld32.exe 35 PID 2896 wrote to memory of 1632 2896 Kdlkld32.exe 35 PID 1632 wrote to memory of 2764 1632 Lmdpejfq.exe 36 PID 1632 wrote to memory of 2764 1632 Lmdpejfq.exe 36 PID 1632 wrote to memory of 2764 1632 Lmdpejfq.exe 36 PID 1632 wrote to memory of 2764 1632 Lmdpejfq.exe 36 PID 2764 wrote to memory of 1864 2764 Lkhpnnej.exe 37 PID 2764 wrote to memory of 1864 2764 Lkhpnnej.exe 37 PID 2764 wrote to memory of 1864 2764 Lkhpnnej.exe 37 PID 2764 wrote to memory of 1864 2764 Lkhpnnej.exe 37 PID 1864 wrote to memory of 2192 1864 Lpeifeca.exe 38 PID 1864 wrote to memory of 2192 1864 Lpeifeca.exe 38 PID 1864 wrote to memory of 2192 1864 Lpeifeca.exe 38 PID 1864 wrote to memory of 2192 1864 Lpeifeca.exe 38 PID 2192 wrote to memory of 2908 2192 Lhlqhb32.exe 39 PID 2192 wrote to memory of 2908 2192 Lhlqhb32.exe 39 PID 2192 wrote to memory of 2908 2192 Lhlqhb32.exe 39 PID 2192 wrote to memory of 2908 2192 Lhlqhb32.exe 39 PID 2908 wrote to memory of 1532 2908 Limmokib.exe 40 PID 2908 wrote to memory of 1532 2908 Limmokib.exe 40 PID 2908 wrote to memory of 1532 2908 Limmokib.exe 40 PID 2908 wrote to memory of 1532 2908 Limmokib.exe 40 PID 1532 wrote to memory of 2096 1532 Lgdjnofi.exe 41 PID 1532 wrote to memory of 2096 1532 Lgdjnofi.exe 41 PID 1532 wrote to memory of 2096 1532 Lgdjnofi.exe 41 PID 1532 wrote to memory of 2096 1532 Lgdjnofi.exe 41 PID 2096 wrote to memory of 1156 2096 Lefkjkmc.exe 42 PID 2096 wrote to memory of 1156 2096 Lefkjkmc.exe 42 PID 2096 wrote to memory of 1156 2096 Lefkjkmc.exe 42 PID 2096 wrote to memory of 1156 2096 Lefkjkmc.exe 42 PID 1156 wrote to memory of 540 1156 Mcjkcplm.exe 43 PID 1156 wrote to memory of 540 1156 Mcjkcplm.exe 43 PID 1156 wrote to memory of 540 1156 Mcjkcplm.exe 43 PID 1156 wrote to memory of 540 1156 Mcjkcplm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a4581f93ef20bf296b664255a86f3142_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe33⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe35⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe38⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe40⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe41⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe42⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe43⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe45⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe47⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe48⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe49⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe51⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe52⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe53⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe56⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe64⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe66⤵PID:332
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe67⤵PID:1036
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe68⤵PID:2408
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe69⤵PID:2080
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe70⤵PID:1308
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe71⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe72⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe73⤵PID:2068
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe74⤵PID:2532
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe75⤵PID:2348
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe76⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe78⤵PID:612
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe79⤵PID:2776
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe80⤵PID:1872
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe81⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe84⤵PID:1836
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe86⤵PID:816
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe87⤵PID:1236
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe88⤵PID:1704
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe89⤵PID:2632
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe90⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe91⤵PID:2808
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe92⤵PID:2724
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe94⤵PID:2328
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe95⤵PID:1956
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe96⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe98⤵PID:2324
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe99⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe100⤵PID:2276
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe101⤵PID:3064
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe102⤵PID:1028
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe103⤵PID:2088
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe104⤵PID:1712
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe105⤵PID:1964
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe106⤵PID:2504
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe107⤵PID:2288
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe108⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe109⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe110⤵PID:2204
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe111⤵PID:2728
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe112⤵PID:1444
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe113⤵PID:1856
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe115⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe117⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe120⤵PID:2448
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-