Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/05/2024, 23:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe
-
Size
89KB
-
MD5
8a96c61188ec778cc3eee3f3912ceb80
-
SHA1
3206f0164fa47421b8bf4c8685ee674aa33e0d8d
-
SHA256
ea714e81dd152ab358c1607bc1d0371d8f93a09d22927491ac169792464e3ac1
-
SHA512
1852416aef0dfce4905083995a4cc3d51ec2e91da5a27c5d05dd4f269ec26db3bb92b58b17d40fc77104e82ed16fad8d2920b9ead03ce91efa00f54d7314eea1
-
SSDEEP
1536:HhTQ+yYEGVtuEr2CZ2Pu0Jy+UDbKoxux9xecXlExkg8Fk:HhT0YDV2u0JyLDLMTUcXlakgwk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Najdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npdjje32.exe -
Executes dropped EXE 64 IoCs
pid Process 320 Aljgfioc.exe 2608 Blmdlhmp.exe 2636 Bhcdaibd.exe 2860 Bnpmipql.exe 2460 Bhfagipa.exe 2488 Bnbjopoi.exe 1316 Bhhnli32.exe 2252 Bnefdp32.exe 2824 Cgmkmecg.exe 2660 Cljcelan.exe 2680 Cdakgibq.exe 1440 Cllpkl32.exe 2656 Cjpqdp32.exe 1252 Comimg32.exe 2080 Chemfl32.exe 2120 Cckace32.exe 356 Chhjkl32.exe 452 Dflkdp32.exe 2140 Dodonf32.exe 1332 Dbbkja32.exe 804 Djnpnc32.exe 908 Dnilobkm.exe 1192 Dnlidb32.exe 1708 Dmoipopd.exe 1604 Dnneja32.exe 1600 Dgfjbgmh.exe 1924 Epaogi32.exe 2176 Eijcpoac.exe 2624 Eeqdep32.exe 2580 Epfhbign.exe 2512 Efppoc32.exe 2588 Enkece32.exe 2476 Ejbfhfaj.exe 1800 Fhffaj32.exe 2916 Flabbihl.exe 2980 Fejgko32.exe 1696 Fmekoalh.exe 2720 Fdoclk32.exe 2764 Fpfdalii.exe 1092 Ffpmnf32.exe 2272 Fbgmbg32.exe 2276 Feeiob32.exe 2868 Gbijhg32.exe 688 Gfefiemq.exe 1768 Gegfdb32.exe 1856 Ghfbqn32.exe 2224 Gpmjak32.exe 2128 Gejcjbah.exe 2352 Gieojq32.exe 3040 Gldkfl32.exe 1948 Gobgcg32.exe 2180 Gaqcoc32.exe 2620 Gdopkn32.exe 2540 Goddhg32.exe 2708 Gacpdbej.exe 2444 Gogangdc.exe 3000 Gaemjbcg.exe 1488 Gphmeo32.exe 1032 Hgbebiao.exe 1728 Hmlnoc32.exe 2716 Hdfflm32.exe 2772 Hkpnhgge.exe 1300 Hnojdcfi.exe 2948 Hckcmjep.exe -
Loads dropped DLL 64 IoCs
pid Process 3024 8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe 3024 8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe 320 Aljgfioc.exe 320 Aljgfioc.exe 2608 Blmdlhmp.exe 2608 Blmdlhmp.exe 2636 Bhcdaibd.exe 2636 Bhcdaibd.exe 2860 Bnpmipql.exe 2860 Bnpmipql.exe 2460 Bhfagipa.exe 2460 Bhfagipa.exe 2488 Bnbjopoi.exe 2488 Bnbjopoi.exe 1316 Bhhnli32.exe 1316 Bhhnli32.exe 2252 Bnefdp32.exe 2252 Bnefdp32.exe 2824 Cgmkmecg.exe 2824 Cgmkmecg.exe 2660 Cljcelan.exe 2660 Cljcelan.exe 2680 Cdakgibq.exe 2680 Cdakgibq.exe 1440 Cllpkl32.exe 1440 Cllpkl32.exe 2656 Cjpqdp32.exe 2656 Cjpqdp32.exe 1252 Comimg32.exe 1252 Comimg32.exe 2080 Chemfl32.exe 2080 Chemfl32.exe 2120 Cckace32.exe 2120 Cckace32.exe 356 Chhjkl32.exe 356 Chhjkl32.exe 452 Dflkdp32.exe 452 Dflkdp32.exe 2140 Dodonf32.exe 2140 Dodonf32.exe 1332 Dbbkja32.exe 1332 Dbbkja32.exe 804 Djnpnc32.exe 804 Djnpnc32.exe 908 Dnilobkm.exe 908 Dnilobkm.exe 1192 Dnlidb32.exe 1192 Dnlidb32.exe 1708 Dmoipopd.exe 1708 Dmoipopd.exe 1604 Dnneja32.exe 1604 Dnneja32.exe 1600 Dgfjbgmh.exe 1600 Dgfjbgmh.exe 1924 Epaogi32.exe 1924 Epaogi32.exe 2176 Eijcpoac.exe 2176 Eijcpoac.exe 2624 Eeqdep32.exe 2624 Eeqdep32.exe 2580 Epfhbign.exe 2580 Epfhbign.exe 2512 Efppoc32.exe 2512 Efppoc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjifqd32.dll Aidnohbk.exe File opened for modification C:\Windows\SysWOW64\Ahikqd32.exe Aaobdjof.exe File opened for modification C:\Windows\SysWOW64\Ckafbbph.exe Cgejac32.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe Dnilobkm.exe File opened for modification C:\Windows\SysWOW64\Lkppbl32.exe Lhbcfa32.exe File opened for modification C:\Windows\SysWOW64\Mcbjgn32.exe Mijfnh32.exe File created C:\Windows\SysWOW64\Jcbellac.exe Jqdipqbp.exe File opened for modification C:\Windows\SysWOW64\Pjhknm32.exe Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Dfffnn32.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Pqhmfm32.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Endhhp32.exe Egjpkffe.exe File created C:\Windows\SysWOW64\Jhgnia32.dll Efcfga32.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Bmamfo32.dll Lmolnh32.exe File created C:\Windows\SysWOW64\Bmmiij32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Apmmjh32.dll Bmmiij32.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Eekkdc32.dll Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Cljcelan.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Lblqijln.dll Nondgn32.exe File created C:\Windows\SysWOW64\Pnajilng.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Dqehhb32.dll Mggpgmof.exe File opened for modification C:\Windows\SysWOW64\Bfcampgf.exe Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fejgko32.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hdfflm32.exe File created C:\Windows\SysWOW64\Aidnohbk.exe Abjebn32.exe File opened for modification C:\Windows\SysWOW64\Ogblbo32.exe Oqideepg.exe File created C:\Windows\SysWOW64\Fejgko32.exe Flabbihl.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kpmlkp32.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bhfagipa.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Keoapb32.exe File created C:\Windows\SysWOW64\Lahkigca.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Dnilobkm.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Blmdlhmp.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Feeiob32.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Aljgfioc.exe File created C:\Windows\SysWOW64\Qefpjhef.dll Cllpkl32.exe File created C:\Windows\SysWOW64\Kiebec32.dll Odobjg32.exe File created C:\Windows\SysWOW64\Qfokbnip.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Bgagbb32.dll Mijfnh32.exe File opened for modification C:\Windows\SysWOW64\Odobjg32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Omfkke32.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dkcofe32.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Dnneja32.exe File created C:\Windows\SysWOW64\Fnnkng32.dll Bfcampgf.exe File created C:\Windows\SysWOW64\Bhkdeggl.exe Bemgilhh.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Blpjegfm.exe Bmmiij32.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Agpgbgpe.dll Kifpdelo.exe File created C:\Windows\SysWOW64\Lhbcfa32.exe Lahkigca.exe File opened for modification C:\Windows\SysWOW64\Jbllihbf.exe Jkbcln32.exe File created C:\Windows\SysWOW64\Fdmahkol.dll Jkbcln32.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Ambcae32.dll Enkece32.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jcbellac.exe File opened for modification C:\Windows\SysWOW64\Nnhkcj32.exe Ngnbgplj.exe File created C:\Windows\SysWOW64\Ahdaee32.exe Aefeijle.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3992 3832 WerFault.exe 322 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdklej32.dll" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljdpbcc.dll" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhfdmdo.dll" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkbcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmcgmjk.dll" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojahnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebfbaj.dll" Npdjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccngld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goipbehm.dll" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mijfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiebec32.dll" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfommp32.dll" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjlmo32.dll" Aipddi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" Cljcelan.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 320 3024 8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe 28 PID 3024 wrote to memory of 320 3024 8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe 28 PID 3024 wrote to memory of 320 3024 8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe 28 PID 3024 wrote to memory of 320 3024 8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe 28 PID 320 wrote to memory of 2608 320 Aljgfioc.exe 29 PID 320 wrote to memory of 2608 320 Aljgfioc.exe 29 PID 320 wrote to memory of 2608 320 Aljgfioc.exe 29 PID 320 wrote to memory of 2608 320 Aljgfioc.exe 29 PID 2608 wrote to memory of 2636 2608 Blmdlhmp.exe 30 PID 2608 wrote to memory of 2636 2608 Blmdlhmp.exe 30 PID 2608 wrote to memory of 2636 2608 Blmdlhmp.exe 30 PID 2608 wrote to memory of 2636 2608 Blmdlhmp.exe 30 PID 2636 wrote to memory of 2860 2636 Bhcdaibd.exe 31 PID 2636 wrote to memory of 2860 2636 Bhcdaibd.exe 31 PID 2636 wrote to memory of 2860 2636 Bhcdaibd.exe 31 PID 2636 wrote to memory of 2860 2636 Bhcdaibd.exe 31 PID 2860 wrote to memory of 2460 2860 Bnpmipql.exe 32 PID 2860 wrote to memory of 2460 2860 Bnpmipql.exe 32 PID 2860 wrote to memory of 2460 2860 Bnpmipql.exe 32 PID 2860 wrote to memory of 2460 2860 Bnpmipql.exe 32 PID 2460 wrote to memory of 2488 2460 Bhfagipa.exe 33 PID 2460 wrote to memory of 2488 2460 Bhfagipa.exe 33 PID 2460 wrote to memory of 2488 2460 Bhfagipa.exe 33 PID 2460 wrote to memory of 2488 2460 Bhfagipa.exe 33 PID 2488 wrote to memory of 1316 2488 Bnbjopoi.exe 34 PID 2488 wrote to memory of 1316 2488 Bnbjopoi.exe 34 PID 2488 wrote to memory of 1316 2488 Bnbjopoi.exe 34 PID 2488 wrote to memory of 1316 2488 Bnbjopoi.exe 34 PID 1316 wrote to memory of 2252 1316 Bhhnli32.exe 35 PID 1316 wrote to memory of 2252 1316 Bhhnli32.exe 35 PID 1316 wrote to memory of 2252 1316 Bhhnli32.exe 35 PID 1316 wrote to memory of 2252 1316 Bhhnli32.exe 35 PID 2252 wrote to memory of 2824 2252 Bnefdp32.exe 36 PID 2252 wrote to memory of 2824 2252 Bnefdp32.exe 36 PID 2252 wrote to memory of 2824 2252 Bnefdp32.exe 36 PID 2252 wrote to memory of 2824 2252 Bnefdp32.exe 36 PID 2824 wrote to memory of 2660 2824 Cgmkmecg.exe 37 PID 2824 wrote to memory of 2660 2824 Cgmkmecg.exe 37 PID 2824 wrote to memory of 2660 2824 Cgmkmecg.exe 37 PID 2824 wrote to memory of 2660 2824 Cgmkmecg.exe 37 PID 2660 wrote to memory of 2680 2660 Cljcelan.exe 38 PID 2660 wrote to memory of 2680 2660 Cljcelan.exe 38 PID 2660 wrote to memory of 2680 2660 Cljcelan.exe 38 PID 2660 wrote to memory of 2680 2660 Cljcelan.exe 38 PID 2680 wrote to memory of 1440 2680 Cdakgibq.exe 39 PID 2680 wrote to memory of 1440 2680 Cdakgibq.exe 39 PID 2680 wrote to memory of 1440 2680 Cdakgibq.exe 39 PID 2680 wrote to memory of 1440 2680 Cdakgibq.exe 39 PID 1440 wrote to memory of 2656 1440 Cllpkl32.exe 40 PID 1440 wrote to memory of 2656 1440 Cllpkl32.exe 40 PID 1440 wrote to memory of 2656 1440 Cllpkl32.exe 40 PID 1440 wrote to memory of 2656 1440 Cllpkl32.exe 40 PID 2656 wrote to memory of 1252 2656 Cjpqdp32.exe 41 PID 2656 wrote to memory of 1252 2656 Cjpqdp32.exe 41 PID 2656 wrote to memory of 1252 2656 Cjpqdp32.exe 41 PID 2656 wrote to memory of 1252 2656 Cjpqdp32.exe 41 PID 1252 wrote to memory of 2080 1252 Comimg32.exe 42 PID 1252 wrote to memory of 2080 1252 Comimg32.exe 42 PID 1252 wrote to memory of 2080 1252 Comimg32.exe 42 PID 1252 wrote to memory of 2080 1252 Comimg32.exe 42 PID 2080 wrote to memory of 2120 2080 Chemfl32.exe 43 PID 2080 wrote to memory of 2120 2080 Chemfl32.exe 43 PID 2080 wrote to memory of 2120 2080 Chemfl32.exe 43 PID 2080 wrote to memory of 2120 2080 Chemfl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8a96c61188ec778cc3eee3f3912ceb80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:356 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe38⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe39⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe40⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe41⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe42⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe44⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe45⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe46⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe47⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe48⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe49⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe50⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe51⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe57⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe59⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe61⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe64⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe67⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe68⤵PID:912
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe69⤵PID:2852
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe70⤵PID:1908
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe71⤵
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe72⤵PID:1732
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe73⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe74⤵PID:2700
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe75⤵PID:2484
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe76⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe77⤵PID:2992
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe78⤵PID:1344
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe79⤵PID:1676
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe81⤵PID:2876
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe82⤵PID:1648
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe83⤵PID:1952
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe85⤵PID:2896
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe86⤵PID:608
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe87⤵PID:2184
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe88⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe90⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe91⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe92⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe93⤵PID:2796
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe95⤵PID:1004
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe96⤵PID:1700
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe97⤵PID:1124
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe98⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe101⤵PID:772
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe102⤵PID:2256
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe104⤵PID:2028
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe105⤵PID:2552
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe106⤵PID:2472
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe108⤵PID:1632
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe109⤵PID:2740
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe111⤵PID:420
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe112⤵PID:2144
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe113⤵PID:2156
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe114⤵
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe115⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe116⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe117⤵PID:2468
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe118⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe119⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe120⤵PID:2044
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe121⤵
- Modifies registry class
PID:2116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-