Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 08:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe
-
Size
182KB
-
MD5
1f0c7b2f49d27fe3ede3aae6c3df3770
-
SHA1
2d9b594f1b8a4bd3cf8fcd7933574a738e6f74d6
-
SHA256
23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608
-
SHA512
0dad7f686e99d6bf171f349352c2b5c14f4201429e947de11991c314d05aca733d7c8a116576ace95af756b67e07154213162f6705939418e64ed314103a609f
-
SSDEEP
1536:WuYqr94/tztXpEZo5916xNnepUbC2L77nguPw9uVgA53+RrKJs2zjFS3ldkBOLLk:WuYyO8Zo5/q9vj77nguPnVgA53+GpOc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgele32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekdekin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcgco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaajlfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekhfgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkpbgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piblek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgele32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkbib32.exe -
Executes dropped EXE 64 IoCs
pid Process 1708 Kpemgbqf.exe 2356 Kmimafop.exe 2728 Kfaajlfp.exe 2104 Komfnnck.exe 2560 Kibjkgca.exe 2532 Kjcgco32.exe 2188 Lhggmchi.exe 2796 Lekhfgfc.exe 2636 Lmgmjjdn.exe 620 Ldqegd32.exe 1812 Lpgele32.exe 2596 Lkmjin32.exe 2360 Ldenbcge.exe 2136 Libgjj32.exe 2784 Mcjkcplm.exe 2308 Mhgclfje.exe 1268 Mekdekin.exe 1112 Mhjpaf32.exe 2036 Mabejlob.exe 1084 Menakj32.exe 3060 Mkjica32.exe 2040 Mofecpnl.exe 1932 Mdcnlglc.exe 1888 Mgajhbkg.exe 2264 Mdejaf32.exe 2220 Mhqfbebj.exe 2096 Njbcim32.exe 2684 Nplkfgoe.exe 2664 Nkaocp32.exe 2816 Njdpomfe.exe 2536 Ndjdlffl.exe 2608 Njgldmdc.exe 2368 Nocemcbj.exe 2852 Njiijlbp.exe 2900 Nlgefh32.exe 1764 Nfpjomgd.exe 2336 Nccjhafn.exe 1064 Odjpkihg.exe 2288 Ojficpfn.exe 1700 Oqqapjnk.exe 2488 Ocomlemo.exe 2248 Ojieip32.exe 680 Oenifh32.exe 992 Ogmfbd32.exe 836 Ojkboo32.exe 844 Pminkk32.exe 2212 Paejki32.exe 1688 Pgobhcac.exe 1740 Pjmodopf.exe 1796 Pmlkpjpj.exe 2252 Ppjglfon.exe 2088 Pcfcmd32.exe 2688 Pfdpip32.exe 2696 Piblek32.exe 2700 Plahag32.exe 2648 Pchpbded.exe 3028 Peiljl32.exe 2864 Pmqdkj32.exe 1292 Ppoqge32.exe 2008 Pnbacbac.exe 2020 Pelipl32.exe 1448 Pigeqkai.exe 2076 Plfamfpm.exe 2884 Pndniaop.exe -
Loads dropped DLL 64 IoCs
pid Process 2420 23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe 2420 23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe 1708 Kpemgbqf.exe 1708 Kpemgbqf.exe 2356 Kmimafop.exe 2356 Kmimafop.exe 2728 Kfaajlfp.exe 2728 Kfaajlfp.exe 2104 Komfnnck.exe 2104 Komfnnck.exe 2560 Kibjkgca.exe 2560 Kibjkgca.exe 2532 Kjcgco32.exe 2532 Kjcgco32.exe 2188 Lhggmchi.exe 2188 Lhggmchi.exe 2796 Lekhfgfc.exe 2796 Lekhfgfc.exe 2636 Lmgmjjdn.exe 2636 Lmgmjjdn.exe 620 Ldqegd32.exe 620 Ldqegd32.exe 1812 Lpgele32.exe 1812 Lpgele32.exe 2596 Lkmjin32.exe 2596 Lkmjin32.exe 2360 Ldenbcge.exe 2360 Ldenbcge.exe 2136 Libgjj32.exe 2136 Libgjj32.exe 2784 Mcjkcplm.exe 2784 Mcjkcplm.exe 2308 Mhgclfje.exe 2308 Mhgclfje.exe 1268 Mekdekin.exe 1268 Mekdekin.exe 1112 Mhjpaf32.exe 1112 Mhjpaf32.exe 2036 Mabejlob.exe 2036 Mabejlob.exe 1084 Menakj32.exe 1084 Menakj32.exe 3060 Mkjica32.exe 3060 Mkjica32.exe 2040 Mofecpnl.exe 2040 Mofecpnl.exe 1932 Mdcnlglc.exe 1932 Mdcnlglc.exe 1888 Mgajhbkg.exe 1888 Mgajhbkg.exe 2264 Mdejaf32.exe 2264 Mdejaf32.exe 2220 Mhqfbebj.exe 2220 Mhqfbebj.exe 2096 Njbcim32.exe 2096 Njbcim32.exe 2684 Nplkfgoe.exe 2684 Nplkfgoe.exe 2664 Nkaocp32.exe 2664 Nkaocp32.exe 2816 Njdpomfe.exe 2816 Njdpomfe.exe 2536 Ndjdlffl.exe 2536 Ndjdlffl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Efppoc32.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Komfnnck.exe Kfaajlfp.exe File opened for modification C:\Windows\SysWOW64\Ojieip32.exe Ocomlemo.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Ddagfm32.exe Dqelenlc.exe File opened for modification C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fhkpmjln.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Aalmklfi.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Paejki32.exe Pminkk32.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Ikkbnm32.dll Fpdhklkl.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Omabcb32.dll Hgbebiao.exe File created C:\Windows\SysWOW64\Pnbgan32.dll Hjjddchg.exe File created C:\Windows\SysWOW64\Nocemcbj.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Edgoiebg.dll Ppoqge32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Baildokg.exe File opened for modification C:\Windows\SysWOW64\Adhlaggp.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Ecfecaop.dll Ndjdlffl.exe File opened for modification C:\Windows\SysWOW64\Nfpjomgd.exe Nlgefh32.exe File created C:\Windows\SysWOW64\Qagcpljo.exe Qnigda32.exe File created C:\Windows\SysWOW64\Midahn32.dll Eiaiqn32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Gldkfl32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hogmmjfo.exe File opened for modification C:\Windows\SysWOW64\Pfdpip32.exe Pcfcmd32.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Aepojo32.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Qeqbkkej.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Kfqpfb32.dll Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Fbdqmghm.exe File opened for modification C:\Windows\SysWOW64\Lhggmchi.exe Kjcgco32.exe File created C:\Windows\SysWOW64\Ghgobd32.dll Lhggmchi.exe File opened for modification C:\Windows\SysWOW64\Pnbacbac.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Mgajhbkg.exe Mdcnlglc.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Ckignd32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Fphafl32.exe File created C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Ebinic32.exe Ennaieib.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fhffaj32.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hpapln32.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Alhjai32.exe File created C:\Windows\SysWOW64\Jbfpbmji.dll Apcfahio.exe File created C:\Windows\SysWOW64\Mdeced32.dll Dkkpbgli.exe File created C:\Windows\SysWOW64\Hiqbndpb.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Cbnbobin.exe Cckace32.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Dbpodagk.exe File created C:\Windows\SysWOW64\Ecmkghcl.exe Eqonkmdh.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Ocomlemo.exe Oqqapjnk.exe File created C:\Windows\SysWOW64\Apomfh32.exe Aalmklfi.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Cpeofk32.exe File opened for modification C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Fbdqmghm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1760 4072 WerFault.exe 259 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difoda32.dll" Njdpomfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" Bdooajdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjejphb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gopkmhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mofecpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmchlpl.dll" Pfdpip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndniaop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Dkkpbgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll" Efppoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkaqmeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhlfmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Menakj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqqapjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" Dfijnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhqfbebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplkfgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpnnmjg.dll" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dkmmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqelenlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1708 2420 23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 1708 2420 23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 1708 2420 23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 1708 2420 23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe 28 PID 1708 wrote to memory of 2356 1708 Kpemgbqf.exe 29 PID 1708 wrote to memory of 2356 1708 Kpemgbqf.exe 29 PID 1708 wrote to memory of 2356 1708 Kpemgbqf.exe 29 PID 1708 wrote to memory of 2356 1708 Kpemgbqf.exe 29 PID 2356 wrote to memory of 2728 2356 Kmimafop.exe 30 PID 2356 wrote to memory of 2728 2356 Kmimafop.exe 30 PID 2356 wrote to memory of 2728 2356 Kmimafop.exe 30 PID 2356 wrote to memory of 2728 2356 Kmimafop.exe 30 PID 2728 wrote to memory of 2104 2728 Kfaajlfp.exe 31 PID 2728 wrote to memory of 2104 2728 Kfaajlfp.exe 31 PID 2728 wrote to memory of 2104 2728 Kfaajlfp.exe 31 PID 2728 wrote to memory of 2104 2728 Kfaajlfp.exe 31 PID 2104 wrote to memory of 2560 2104 Komfnnck.exe 32 PID 2104 wrote to memory of 2560 2104 Komfnnck.exe 32 PID 2104 wrote to memory of 2560 2104 Komfnnck.exe 32 PID 2104 wrote to memory of 2560 2104 Komfnnck.exe 32 PID 2560 wrote to memory of 2532 2560 Kibjkgca.exe 33 PID 2560 wrote to memory of 2532 2560 Kibjkgca.exe 33 PID 2560 wrote to memory of 2532 2560 Kibjkgca.exe 33 PID 2560 wrote to memory of 2532 2560 Kibjkgca.exe 33 PID 2532 wrote to memory of 2188 2532 Kjcgco32.exe 34 PID 2532 wrote to memory of 2188 2532 Kjcgco32.exe 34 PID 2532 wrote to memory of 2188 2532 Kjcgco32.exe 34 PID 2532 wrote to memory of 2188 2532 Kjcgco32.exe 34 PID 2188 wrote to memory of 2796 2188 Lhggmchi.exe 35 PID 2188 wrote to memory of 2796 2188 Lhggmchi.exe 35 PID 2188 wrote to memory of 2796 2188 Lhggmchi.exe 35 PID 2188 wrote to memory of 2796 2188 Lhggmchi.exe 35 PID 2796 wrote to memory of 2636 2796 Lekhfgfc.exe 36 PID 2796 wrote to memory of 2636 2796 Lekhfgfc.exe 36 PID 2796 wrote to memory of 2636 2796 Lekhfgfc.exe 36 PID 2796 wrote to memory of 2636 2796 Lekhfgfc.exe 36 PID 2636 wrote to memory of 620 2636 Lmgmjjdn.exe 37 PID 2636 wrote to memory of 620 2636 Lmgmjjdn.exe 37 PID 2636 wrote to memory of 620 2636 Lmgmjjdn.exe 37 PID 2636 wrote to memory of 620 2636 Lmgmjjdn.exe 37 PID 620 wrote to memory of 1812 620 Ldqegd32.exe 38 PID 620 wrote to memory of 1812 620 Ldqegd32.exe 38 PID 620 wrote to memory of 1812 620 Ldqegd32.exe 38 PID 620 wrote to memory of 1812 620 Ldqegd32.exe 38 PID 1812 wrote to memory of 2596 1812 Lpgele32.exe 39 PID 1812 wrote to memory of 2596 1812 Lpgele32.exe 39 PID 1812 wrote to memory of 2596 1812 Lpgele32.exe 39 PID 1812 wrote to memory of 2596 1812 Lpgele32.exe 39 PID 2596 wrote to memory of 2360 2596 Lkmjin32.exe 40 PID 2596 wrote to memory of 2360 2596 Lkmjin32.exe 40 PID 2596 wrote to memory of 2360 2596 Lkmjin32.exe 40 PID 2596 wrote to memory of 2360 2596 Lkmjin32.exe 40 PID 2360 wrote to memory of 2136 2360 Ldenbcge.exe 41 PID 2360 wrote to memory of 2136 2360 Ldenbcge.exe 41 PID 2360 wrote to memory of 2136 2360 Ldenbcge.exe 41 PID 2360 wrote to memory of 2136 2360 Ldenbcge.exe 41 PID 2136 wrote to memory of 2784 2136 Libgjj32.exe 42 PID 2136 wrote to memory of 2784 2136 Libgjj32.exe 42 PID 2136 wrote to memory of 2784 2136 Libgjj32.exe 42 PID 2136 wrote to memory of 2784 2136 Libgjj32.exe 42 PID 2784 wrote to memory of 2308 2784 Mcjkcplm.exe 43 PID 2784 wrote to memory of 2308 2784 Mcjkcplm.exe 43 PID 2784 wrote to memory of 2308 2784 Mcjkcplm.exe 43 PID 2784 wrote to memory of 2308 2784 Mcjkcplm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\23851ba43dc6d675c52d97c55ebdce0bee85974c92f61cf0ad441c5b1b7d9608_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe37⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe38⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe39⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe40⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe43⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe44⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe45⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe48⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe52⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe56⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe58⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe59⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe61⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe62⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe63⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe64⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe66⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe68⤵PID:1848
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe69⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe71⤵PID:1240
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe72⤵PID:1900
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe73⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe74⤵PID:2848
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe76⤵PID:2572
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe77⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe80⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe81⤵PID:772
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe82⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe83⤵PID:2216
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe84⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:356 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1356 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe91⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe92⤵PID:632
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe94⤵PID:2740
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe96⤵PID:2524
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe97⤵PID:2780
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe98⤵PID:2500
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe99⤵PID:1716
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:784 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe103⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe104⤵PID:1832
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe105⤵PID:952
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe106⤵PID:3036
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe107⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe108⤵PID:2680
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe109⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe110⤵PID:2568
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe111⤵PID:2028
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe112⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe116⤵PID:2192
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe117⤵PID:656
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe118⤵PID:2916
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe120⤵PID:3064
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-