Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe
-
Size
78KB
-
MD5
349992fb786325e13b2d76358c77d1b0
-
SHA1
34bd9d2674fd45803fb5238b1c0e418825f4c77b
-
SHA256
0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05
-
SHA512
5e0485b2deac54c54dfb2aa93ec67c7957d417b119b26670ac87a3f16143dc21ca2e5fcb89a8221f57a35b8095fc05128b97964795a32805db3373e62ce96947
-
SSDEEP
1536:E168o5mjwupBBXaie3o1IkIggsJVHcbns:G68oUBXaiecIogsDes
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inifnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmhdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbjhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iompkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdllkhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieidmbcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe -
Executes dropped EXE 64 IoCs
pid Process 1828 Ajphib32.exe 2224 Adhlaggp.exe 3060 Adjigg32.exe 2720 Aigaon32.exe 2436 Alenki32.exe 2608 Aiinen32.exe 2424 Aiinen32.exe 1656 Afmonbqk.exe 1316 Bpfcgg32.exe 1588 Bebkpn32.exe 2488 Bingpmnl.exe 1036 Beehencq.exe 1780 Begeknan.exe 1188 Bghabf32.exe 2956 Bdlblj32.exe 2232 Baqbenep.exe 488 Cjlgiqbk.exe 1740 Ccdlbf32.exe 2924 Cfbhnaho.exe 2380 Ccfhhffh.exe 2272 Cgbdhd32.exe 1644 Cpjiajeb.exe 612 Comimg32.exe 772 Claifkkf.exe 2044 Cckace32.exe 1956 Cdlnkmha.exe 2188 Cobbhfhg.exe 1504 Ddokpmfo.exe 2192 Dodonf32.exe 2644 Ddagfm32.exe 2844 Dnilobkm.exe 2724 Dqhhknjp.exe 1400 Dqjepm32.exe 2556 Dfgmhd32.exe 1844 Dcknbh32.exe 2912 Dfijnd32.exe 2184 Emcbkn32.exe 2772 Epaogi32.exe 2696 Epdkli32.exe 2768 Efncicpm.exe 1120 Epfhbign.exe 1396 Efppoc32.exe 2332 Epieghdk.exe 540 Ejbfhfaj.exe 720 Ebinic32.exe 2396 Fjdbnf32.exe 3052 Fnpnndgp.exe 1920 Fejgko32.exe 780 Ffkcbgek.exe 912 Fmekoalh.exe 3004 Fpdhklkl.exe 1572 Fdoclk32.exe 1508 Ffnphf32.exe 2628 Filldb32.exe 2108 Facdeo32.exe 2708 Fpfdalii.exe 2812 Fbdqmghm.exe 2508 Fbdqmghm.exe 1704 Fjlhneio.exe 2820 Fmjejphb.exe 1440 Fddmgjpo.exe 2676 Feeiob32.exe 2668 Globlmmj.exe 2744 Gfefiemq.exe -
Loads dropped DLL 64 IoCs
pid Process 2512 0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe 2512 0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe 1828 Ajphib32.exe 1828 Ajphib32.exe 2224 Adhlaggp.exe 2224 Adhlaggp.exe 3060 Adjigg32.exe 3060 Adjigg32.exe 2720 Aigaon32.exe 2720 Aigaon32.exe 2436 Alenki32.exe 2436 Alenki32.exe 2608 Aiinen32.exe 2608 Aiinen32.exe 2424 Aiinen32.exe 2424 Aiinen32.exe 1656 Afmonbqk.exe 1656 Afmonbqk.exe 1316 Bpfcgg32.exe 1316 Bpfcgg32.exe 1588 Bebkpn32.exe 1588 Bebkpn32.exe 2488 Bingpmnl.exe 2488 Bingpmnl.exe 1036 Beehencq.exe 1036 Beehencq.exe 1780 Begeknan.exe 1780 Begeknan.exe 1188 Bghabf32.exe 1188 Bghabf32.exe 2956 Bdlblj32.exe 2956 Bdlblj32.exe 2232 Baqbenep.exe 2232 Baqbenep.exe 488 Cjlgiqbk.exe 488 Cjlgiqbk.exe 1740 Ccdlbf32.exe 1740 Ccdlbf32.exe 2924 Cfbhnaho.exe 2924 Cfbhnaho.exe 2380 Ccfhhffh.exe 2380 Ccfhhffh.exe 2272 Cgbdhd32.exe 2272 Cgbdhd32.exe 1644 Cpjiajeb.exe 1644 Cpjiajeb.exe 612 Comimg32.exe 612 Comimg32.exe 772 Claifkkf.exe 772 Claifkkf.exe 2044 Cckace32.exe 2044 Cckace32.exe 1956 Cdlnkmha.exe 1956 Cdlnkmha.exe 2188 Cobbhfhg.exe 2188 Cobbhfhg.exe 1504 Ddokpmfo.exe 1504 Ddokpmfo.exe 2192 Dodonf32.exe 2192 Dodonf32.exe 2644 Ddagfm32.exe 2644 Ddagfm32.exe 2844 Dnilobkm.exe 2844 Dnilobkm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbpljhnf.dll Mpjqiq32.exe File created C:\Windows\SysWOW64\Jpajnpao.dll Ghoegl32.exe File created C:\Windows\SysWOW64\Jnbfqn32.dll Ioaifhid.exe File opened for modification C:\Windows\SysWOW64\Pqhijbog.exe Pmlmic32.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Nejiih32.exe File created C:\Windows\SysWOW64\Fogilika.dll Cdlgpgef.exe File created C:\Windows\SysWOW64\Naaffn32.dll Amnfnfgg.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hpkjko32.exe File created C:\Windows\SysWOW64\Djklnnaj.exe Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Kjifhc32.exe Kbbngf32.exe File created C:\Windows\SysWOW64\Amkoie32.dll Onhgbmfb.exe File created C:\Windows\SysWOW64\Kjnifgah.dll Hggomh32.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Pmnafl32.dll Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Mlmlecec.exe Meccii32.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Idnaoohk.exe File created C:\Windows\SysWOW64\Gcaciakh.dll Gogangdc.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Ocnfbo32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Qfokbnip.exe Qcpofbjl.exe File created C:\Windows\SysWOW64\Dnilobkm.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Jjpdcc32.dll Jkdpanhg.exe File created C:\Windows\SysWOW64\Cldooj32.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Eqbddk32.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Kifjcn32.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Ohhkjp32.exe Odlojanh.exe File opened for modification C:\Windows\SysWOW64\Nmnace32.exe Ngdifkpi.exe File opened for modification C:\Windows\SysWOW64\Icmegf32.exe Ioaifhid.exe File opened for modification C:\Windows\SysWOW64\Jgcdki32.exe Jdehon32.exe File created C:\Windows\SysWOW64\Leljop32.exe Lnbbbffj.exe File created C:\Windows\SysWOW64\Ffakeiib.dll Baqbenep.exe File created C:\Windows\SysWOW64\Kiijnq32.exe Jghmfhmb.exe File created C:\Windows\SysWOW64\Eiehea32.dll Iblpjdpk.exe File created C:\Windows\SysWOW64\Aphdelhp.dll Ejkima32.exe File created C:\Windows\SysWOW64\Lghjel32.exe Lanaiahq.exe File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe Pfikmh32.exe File created C:\Windows\SysWOW64\Aonghnnp.dll Ncjqhmkm.exe File created C:\Windows\SysWOW64\Dlmfmihf.dll Jfekcg32.exe File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Pbhmnkjf.exe Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Pkdgpo32.exe Pmagdbci.exe File created C:\Windows\SysWOW64\Baadng32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Bghabf32.exe Begeknan.exe File opened for modification C:\Windows\SysWOW64\Cldooj32.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Oehfcmhd.dll Cjfccn32.exe File created C:\Windows\SysWOW64\Mpjqiq32.exe Mmldme32.exe File created C:\Windows\SysWOW64\Gjodeppm.dll Mkclhl32.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pgplkb32.exe File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File created C:\Windows\SysWOW64\Idnmhkin.dll Hapicp32.exe File created C:\Windows\SysWOW64\Konojnki.dll Kmopod32.exe File created C:\Windows\SysWOW64\Kmmcjehm.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Lpekon32.exe File created C:\Windows\SysWOW64\Epieghdk.exe Efppoc32.exe File created C:\Windows\SysWOW64\Llohjo32.exe Lmlhnagm.exe File created C:\Windows\SysWOW64\Mmjale32.dll Egllae32.exe File created C:\Windows\SysWOW64\Lecgje32.exe Lbeknj32.exe File created C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Llcefjgf.exe Lghjel32.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Bdkgocpm.exe File created C:\Windows\SysWOW64\Fbeccf32.dll Aiinen32.exe File created C:\Windows\SysWOW64\Dchfknpg.dll Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Njlockkm.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Ddigjkid.exe Dbkknojp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5556 5460 WerFault.exe 596 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpolo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmdjdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Cobbhfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milokblc.dll" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlnbeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" Ndbcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoocjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihclng32.dll" Kgemplap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmmcjehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbgbe32.dll" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biapcobb.dll" Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdqecfo.dll" Gfmemc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adjigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habfipdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipddi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albjlcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimckbco.dll" Lghjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbqabkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbgbdkh.dll" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckace32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1828 2512 0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe 28 PID 2512 wrote to memory of 1828 2512 0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe 28 PID 2512 wrote to memory of 1828 2512 0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe 28 PID 2512 wrote to memory of 1828 2512 0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe 28 PID 1828 wrote to memory of 2224 1828 Ajphib32.exe 29 PID 1828 wrote to memory of 2224 1828 Ajphib32.exe 29 PID 1828 wrote to memory of 2224 1828 Ajphib32.exe 29 PID 1828 wrote to memory of 2224 1828 Ajphib32.exe 29 PID 2224 wrote to memory of 3060 2224 Adhlaggp.exe 30 PID 2224 wrote to memory of 3060 2224 Adhlaggp.exe 30 PID 2224 wrote to memory of 3060 2224 Adhlaggp.exe 30 PID 2224 wrote to memory of 3060 2224 Adhlaggp.exe 30 PID 3060 wrote to memory of 2720 3060 Adjigg32.exe 31 PID 3060 wrote to memory of 2720 3060 Adjigg32.exe 31 PID 3060 wrote to memory of 2720 3060 Adjigg32.exe 31 PID 3060 wrote to memory of 2720 3060 Adjigg32.exe 31 PID 2720 wrote to memory of 2436 2720 Aigaon32.exe 32 PID 2720 wrote to memory of 2436 2720 Aigaon32.exe 32 PID 2720 wrote to memory of 2436 2720 Aigaon32.exe 32 PID 2720 wrote to memory of 2436 2720 Aigaon32.exe 32 PID 2436 wrote to memory of 2608 2436 Alenki32.exe 33 PID 2436 wrote to memory of 2608 2436 Alenki32.exe 33 PID 2436 wrote to memory of 2608 2436 Alenki32.exe 33 PID 2436 wrote to memory of 2608 2436 Alenki32.exe 33 PID 2608 wrote to memory of 2424 2608 Aiinen32.exe 34 PID 2608 wrote to memory of 2424 2608 Aiinen32.exe 34 PID 2608 wrote to memory of 2424 2608 Aiinen32.exe 34 PID 2608 wrote to memory of 2424 2608 Aiinen32.exe 34 PID 2424 wrote to memory of 1656 2424 Aiinen32.exe 35 PID 2424 wrote to memory of 1656 2424 Aiinen32.exe 35 PID 2424 wrote to memory of 1656 2424 Aiinen32.exe 35 PID 2424 wrote to memory of 1656 2424 Aiinen32.exe 35 PID 1656 wrote to memory of 1316 1656 Afmonbqk.exe 36 PID 1656 wrote to memory of 1316 1656 Afmonbqk.exe 36 PID 1656 wrote to memory of 1316 1656 Afmonbqk.exe 36 PID 1656 wrote to memory of 1316 1656 Afmonbqk.exe 36 PID 1316 wrote to memory of 1588 1316 Bpfcgg32.exe 37 PID 1316 wrote to memory of 1588 1316 Bpfcgg32.exe 37 PID 1316 wrote to memory of 1588 1316 Bpfcgg32.exe 37 PID 1316 wrote to memory of 1588 1316 Bpfcgg32.exe 37 PID 1588 wrote to memory of 2488 1588 Bebkpn32.exe 38 PID 1588 wrote to memory of 2488 1588 Bebkpn32.exe 38 PID 1588 wrote to memory of 2488 1588 Bebkpn32.exe 38 PID 1588 wrote to memory of 2488 1588 Bebkpn32.exe 38 PID 2488 wrote to memory of 1036 2488 Bingpmnl.exe 39 PID 2488 wrote to memory of 1036 2488 Bingpmnl.exe 39 PID 2488 wrote to memory of 1036 2488 Bingpmnl.exe 39 PID 2488 wrote to memory of 1036 2488 Bingpmnl.exe 39 PID 1036 wrote to memory of 1780 1036 Beehencq.exe 40 PID 1036 wrote to memory of 1780 1036 Beehencq.exe 40 PID 1036 wrote to memory of 1780 1036 Beehencq.exe 40 PID 1036 wrote to memory of 1780 1036 Beehencq.exe 40 PID 1780 wrote to memory of 1188 1780 Begeknan.exe 41 PID 1780 wrote to memory of 1188 1780 Begeknan.exe 41 PID 1780 wrote to memory of 1188 1780 Begeknan.exe 41 PID 1780 wrote to memory of 1188 1780 Begeknan.exe 41 PID 1188 wrote to memory of 2956 1188 Bghabf32.exe 42 PID 1188 wrote to memory of 2956 1188 Bghabf32.exe 42 PID 1188 wrote to memory of 2956 1188 Bghabf32.exe 42 PID 1188 wrote to memory of 2956 1188 Bghabf32.exe 42 PID 2956 wrote to memory of 2232 2956 Bdlblj32.exe 43 PID 2956 wrote to memory of 2232 2956 Bdlblj32.exe 43 PID 2956 wrote to memory of 2232 2956 Bdlblj32.exe 43 PID 2956 wrote to memory of 2232 2956 Bdlblj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b0cef5077c0a296f2c0105981c7acda25fc57abb2b2587a581df07fab3e2f05_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe33⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe34⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe35⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe36⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe37⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe38⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe39⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe40⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe41⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe44⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:720 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe47⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe48⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe49⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe50⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe52⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe53⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe54⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe55⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe56⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe57⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe58⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe59⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe60⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe61⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe64⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe65⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe66⤵PID:2964
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe67⤵PID:2088
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe68⤵PID:2004
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe69⤵PID:1616
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe70⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe72⤵PID:2080
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe73⤵PID:1040
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe75⤵PID:2324
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe76⤵PID:1028
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe77⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe78⤵PID:2648
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe79⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe80⤵PID:1140
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe81⤵PID:2992
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe83⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe84⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe85⤵PID:1620
-
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe87⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe88⤵PID:1052
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe89⤵PID:2916
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe90⤵PID:452
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe91⤵PID:948
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe92⤵PID:356
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe93⤵PID:2356
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe94⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe95⤵PID:1044
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe96⤵PID:2012
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe97⤵PID:2456
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe98⤵PID:3020
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe99⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe100⤵PID:1608
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe101⤵PID:2752
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe102⤵PID:2308
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe103⤵PID:2972
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe104⤵PID:1480
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:276 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe106⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe107⤵PID:1268
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe108⤵PID:764
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe109⤵PID:1580
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe110⤵PID:1700
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe111⤵PID:2728
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe112⤵PID:2428
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe113⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe114⤵PID:2476
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe115⤵PID:1288
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe116⤵PID:1284
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe117⤵PID:2132
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe118⤵PID:324
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe119⤵PID:1796
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe120⤵PID:1124
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-