Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 07:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe
-
Size
104KB
-
MD5
0c7a971da24008eda40949925c5a9840
-
SHA1
f01b4448b7d63f97c409c43c73d494ea08916ec7
-
SHA256
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6
-
SHA512
f300ab1705100533f12c0d0794c075f79824a2df89cf5d32f27d7f5288b8742de9b6c427ab1fef4f3962472396e9b1ffe83b7bc59bfb92e6e7fcbede9ee077a6
-
SSDEEP
3072:OfkHV/tBJBqSspO+a6/ore59x7cEGrhkngpDvchkqbAIQS:OfWtsXpx59x4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklnnaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmcijcbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmdlhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahokfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeofk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2024 Afdlhchf.exe 1512 Amndem32.exe 2312 Ahchbf32.exe 2668 Ampqjm32.exe 2468 Adjigg32.exe 2728 Ajdadamj.exe 2572 Aigaon32.exe 2184 Apajlhka.exe 1972 Aenbdoii.exe 1988 Amejeljk.exe 2028 Aoffmd32.exe 1864 Ahokfj32.exe 2384 Boiccdnf.exe 352 Bebkpn32.exe 2780 Blmdlhmp.exe 2980 Bkodhe32.exe 676 Bbflib32.exe 1420 Bhcdaibd.exe 1556 Bloqah32.exe 2232 Balijo32.exe 1564 Begeknan.exe 300 Bghabf32.exe 1968 Bpafkknm.exe 1960 Bhhnli32.exe 2888 Bkfjhd32.exe 2916 Baqbenep.exe 1528 Bpcbqk32.exe 2144 Cngcjo32.exe 2948 Cpeofk32.exe 3048 Cfbhnaho.exe 2656 Cllpkl32.exe 2576 Ccfhhffh.exe 2944 Cgbdhd32.exe 2524 Cpjiajeb.exe 2300 Comimg32.exe 1904 Cjbmjplb.exe 844 Cckace32.exe 2376 Cdlnkmha.exe 1772 Cndbcc32.exe 868 Dflkdp32.exe 2792 Dkhcmgnl.exe 2856 Dbbkja32.exe 2800 Dgodbh32.exe 596 Dbehoa32.exe 1704 Dcfdgiid.exe 408 Dkmmhf32.exe 700 Dnlidb32.exe 1480 Ddeaalpg.exe 2100 Dchali32.exe 916 Dfgmhd32.exe 2940 Dnneja32.exe 1668 Doobajme.exe 1732 Doobajme.exe 2080 Dgfjbgmh.exe 3056 Dfijnd32.exe 2588 Djefobmk.exe 1464 Eihfjo32.exe 2476 Eqonkmdh.exe 2960 Ecmkghcl.exe 1376 Ebpkce32.exe 2396 Eflgccbp.exe 1848 Eijcpoac.exe 2744 Epdkli32.exe 2408 Ecpgmhai.exe -
Loads dropped DLL 64 IoCs
pid Process 2540 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 2540 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 2024 Afdlhchf.exe 2024 Afdlhchf.exe 1512 Amndem32.exe 1512 Amndem32.exe 2312 Ahchbf32.exe 2312 Ahchbf32.exe 2668 Ampqjm32.exe 2668 Ampqjm32.exe 2468 Adjigg32.exe 2468 Adjigg32.exe 2728 Ajdadamj.exe 2728 Ajdadamj.exe 2572 Aigaon32.exe 2572 Aigaon32.exe 2184 Apajlhka.exe 2184 Apajlhka.exe 1972 Aenbdoii.exe 1972 Aenbdoii.exe 1988 Amejeljk.exe 1988 Amejeljk.exe 2028 Aoffmd32.exe 2028 Aoffmd32.exe 1864 Ahokfj32.exe 1864 Ahokfj32.exe 2384 Boiccdnf.exe 2384 Boiccdnf.exe 352 Bebkpn32.exe 352 Bebkpn32.exe 2780 Blmdlhmp.exe 2780 Blmdlhmp.exe 2980 Bkodhe32.exe 2980 Bkodhe32.exe 676 Bbflib32.exe 676 Bbflib32.exe 1420 Bhcdaibd.exe 1420 Bhcdaibd.exe 1556 Bloqah32.exe 1556 Bloqah32.exe 2232 Balijo32.exe 2232 Balijo32.exe 1564 Begeknan.exe 1564 Begeknan.exe 300 Bghabf32.exe 300 Bghabf32.exe 1968 Bpafkknm.exe 1968 Bpafkknm.exe 1960 Bhhnli32.exe 1960 Bhhnli32.exe 2888 Bkfjhd32.exe 2888 Bkfjhd32.exe 2916 Baqbenep.exe 2916 Baqbenep.exe 1528 Bpcbqk32.exe 1528 Bpcbqk32.exe 2144 Cngcjo32.exe 2144 Cngcjo32.exe 2948 Cpeofk32.exe 2948 Cpeofk32.exe 3048 Cfbhnaho.exe 3048 Cfbhnaho.exe 2656 Cllpkl32.exe 2656 Cllpkl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Kijbioba.dll Doehqead.exe File created C:\Windows\SysWOW64\Jfojbj32.dll Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Bhlhkl32.dll Kngfih32.exe File created C:\Windows\SysWOW64\Kjmbgl32.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Hejodhmc.dll Oqkqkdne.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Hokefmej.dll Ahchbf32.exe File created C:\Windows\SysWOW64\Imhjppim.dll Cpeofk32.exe File created C:\Windows\SysWOW64\Ddflckmp.dll Bhhnli32.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Keanebkb.exe File created C:\Windows\SysWOW64\Mgimmm32.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Onqamf32.dll Afcenm32.exe File opened for modification C:\Windows\SysWOW64\Bmmiij32.exe Bkommo32.exe File created C:\Windows\SysWOW64\Bpjiammk.dll Apajlhka.exe File created C:\Windows\SysWOW64\Icplghmh.dll Boiccdnf.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Emieil32.exe File created C:\Windows\SysWOW64\Cllpkl32.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Doobajme.exe Doobajme.exe File created C:\Windows\SysWOW64\Ocjcidbb.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Jondlhmp.dll Geolea32.exe File created C:\Windows\SysWOW64\Loeebl32.exe Lpbefoai.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mkgfckcj.exe File created C:\Windows\SysWOW64\Bkodhe32.exe Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Miooigfo.exe Mgqcmlgl.exe File created C:\Windows\SysWOW64\Bmpfojmp.exe Bidjnkdg.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Jgnamk32.exe Jcbellac.exe File created C:\Windows\SysWOW64\Hdnaeh32.dll Kemejc32.exe File opened for modification C:\Windows\SysWOW64\Ohfeog32.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Bgmlpbdc.dll Pogclp32.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Faagpp32.exe File created C:\Windows\SysWOW64\Facdeo32.exe Filldb32.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe File created C:\Windows\SysWOW64\Nkemkhcd.dll Pqkmjh32.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Oikojfgk.exe File created C:\Windows\SysWOW64\Gdidec32.dll Cahail32.exe File created C:\Windows\SysWOW64\Lklohbmo.dll Ckccgane.exe File created C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Ggpimica.exe Gdamqndn.exe File created C:\Windows\SysWOW64\Limfed32.exe Lafndg32.exe File opened for modification C:\Windows\SysWOW64\Lajhofao.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Pciifc32.exe Pqkmjh32.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Papfegmk.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Afohaa32.exe File created C:\Windows\SysWOW64\Eqijej32.exe Emnndlod.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Facdeo32.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File created C:\Windows\SysWOW64\Aaobdjof.exe Abmbhn32.exe File created C:\Windows\SysWOW64\Anccmo32.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Cohigamf.exe Cklmgb32.exe File created C:\Windows\SysWOW64\Dbbkja32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Nondgn32.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Chbjffad.exe File created C:\Windows\SysWOW64\Ebpkce32.exe Ecmkghcl.exe File created C:\Windows\SysWOW64\Bgagbb32.dll Mpdnkb32.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Ldnlic32.dll Jjlnif32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5312 5280 WerFault.exe 502 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbdhi32.dll" Bpleef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpbahga.dll" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Albjlcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oikojfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdlgpgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlanqkq.dll" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoia32.dll" Jehkodcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhbped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbgbdkh.dll" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll" Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleofcd.dll" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqmmidel.dll" Mmahdggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakmkaok.dll" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Ifnechbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpleef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojolhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpeekh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2024 2540 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 28 PID 2540 wrote to memory of 2024 2540 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 28 PID 2540 wrote to memory of 2024 2540 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 28 PID 2540 wrote to memory of 2024 2540 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 28 PID 2024 wrote to memory of 1512 2024 Afdlhchf.exe 29 PID 2024 wrote to memory of 1512 2024 Afdlhchf.exe 29 PID 2024 wrote to memory of 1512 2024 Afdlhchf.exe 29 PID 2024 wrote to memory of 1512 2024 Afdlhchf.exe 29 PID 1512 wrote to memory of 2312 1512 Amndem32.exe 30 PID 1512 wrote to memory of 2312 1512 Amndem32.exe 30 PID 1512 wrote to memory of 2312 1512 Amndem32.exe 30 PID 1512 wrote to memory of 2312 1512 Amndem32.exe 30 PID 2312 wrote to memory of 2668 2312 Ahchbf32.exe 31 PID 2312 wrote to memory of 2668 2312 Ahchbf32.exe 31 PID 2312 wrote to memory of 2668 2312 Ahchbf32.exe 31 PID 2312 wrote to memory of 2668 2312 Ahchbf32.exe 31 PID 2668 wrote to memory of 2468 2668 Ampqjm32.exe 32 PID 2668 wrote to memory of 2468 2668 Ampqjm32.exe 32 PID 2668 wrote to memory of 2468 2668 Ampqjm32.exe 32 PID 2668 wrote to memory of 2468 2668 Ampqjm32.exe 32 PID 2468 wrote to memory of 2728 2468 Adjigg32.exe 33 PID 2468 wrote to memory of 2728 2468 Adjigg32.exe 33 PID 2468 wrote to memory of 2728 2468 Adjigg32.exe 33 PID 2468 wrote to memory of 2728 2468 Adjigg32.exe 33 PID 2728 wrote to memory of 2572 2728 Ajdadamj.exe 34 PID 2728 wrote to memory of 2572 2728 Ajdadamj.exe 34 PID 2728 wrote to memory of 2572 2728 Ajdadamj.exe 34 PID 2728 wrote to memory of 2572 2728 Ajdadamj.exe 34 PID 2572 wrote to memory of 2184 2572 Aigaon32.exe 35 PID 2572 wrote to memory of 2184 2572 Aigaon32.exe 35 PID 2572 wrote to memory of 2184 2572 Aigaon32.exe 35 PID 2572 wrote to memory of 2184 2572 Aigaon32.exe 35 PID 2184 wrote to memory of 1972 2184 Apajlhka.exe 36 PID 2184 wrote to memory of 1972 2184 Apajlhka.exe 36 PID 2184 wrote to memory of 1972 2184 Apajlhka.exe 36 PID 2184 wrote to memory of 1972 2184 Apajlhka.exe 36 PID 1972 wrote to memory of 1988 1972 Aenbdoii.exe 37 PID 1972 wrote to memory of 1988 1972 Aenbdoii.exe 37 PID 1972 wrote to memory of 1988 1972 Aenbdoii.exe 37 PID 1972 wrote to memory of 1988 1972 Aenbdoii.exe 37 PID 1988 wrote to memory of 2028 1988 Amejeljk.exe 38 PID 1988 wrote to memory of 2028 1988 Amejeljk.exe 38 PID 1988 wrote to memory of 2028 1988 Amejeljk.exe 38 PID 1988 wrote to memory of 2028 1988 Amejeljk.exe 38 PID 2028 wrote to memory of 1864 2028 Aoffmd32.exe 39 PID 2028 wrote to memory of 1864 2028 Aoffmd32.exe 39 PID 2028 wrote to memory of 1864 2028 Aoffmd32.exe 39 PID 2028 wrote to memory of 1864 2028 Aoffmd32.exe 39 PID 1864 wrote to memory of 2384 1864 Ahokfj32.exe 40 PID 1864 wrote to memory of 2384 1864 Ahokfj32.exe 40 PID 1864 wrote to memory of 2384 1864 Ahokfj32.exe 40 PID 1864 wrote to memory of 2384 1864 Ahokfj32.exe 40 PID 2384 wrote to memory of 352 2384 Boiccdnf.exe 41 PID 2384 wrote to memory of 352 2384 Boiccdnf.exe 41 PID 2384 wrote to memory of 352 2384 Boiccdnf.exe 41 PID 2384 wrote to memory of 352 2384 Boiccdnf.exe 41 PID 352 wrote to memory of 2780 352 Bebkpn32.exe 42 PID 352 wrote to memory of 2780 352 Bebkpn32.exe 42 PID 352 wrote to memory of 2780 352 Bebkpn32.exe 42 PID 352 wrote to memory of 2780 352 Bebkpn32.exe 42 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 43 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 43 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 43 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe33⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe34⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe36⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe37⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe38⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe39⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe40⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe41⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe43⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe44⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe46⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe47⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe48⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe49⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe50⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe51⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe55⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe56⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe57⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe58⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe59⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe61⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe62⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe64⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe65⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe66⤵PID:1120
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe67⤵PID:780
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe68⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe69⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe70⤵PID:1964
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe71⤵PID:612
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe72⤵PID:1608
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe73⤵PID:2084
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe74⤵PID:1560
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe75⤵PID:2720
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe76⤵PID:2624
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe77⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe78⤵PID:2968
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe80⤵PID:276
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe81⤵PID:1260
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe82⤵PID:2808
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe83⤵PID:2272
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe84⤵PID:1780
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe85⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1312 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe88⤵PID:1520
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe90⤵PID:2568
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe91⤵PID:2836
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe92⤵PID:2708
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe93⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe95⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe96⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe97⤵PID:1692
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe98⤵PID:2840
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe99⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe100⤵PID:1748
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe101⤵PID:1708
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe102⤵PID:3016
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe104⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe105⤵PID:2684
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe106⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe107⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe108⤵PID:1632
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe109⤵PID:2372
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe110⤵PID:1036
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe111⤵PID:1408
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe112⤵PID:1128
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe113⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe114⤵PID:904
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe115⤵PID:1432
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe116⤵PID:2876
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe117⤵PID:2852
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe118⤵PID:1580
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe119⤵PID:2044
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe120⤵PID:2764
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe121⤵
- Drops file in System32 directory
PID:320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-