Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 10:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe
-
Size
236KB
-
MD5
1afdf72392da445d669af899bcdfaf10
-
SHA1
9c266851f6e9aa699b9ab2842b58ca41fa5851b7
-
SHA256
07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200
-
SHA512
58d29b46a6a65c28f3c0787f32d3fa4cc3f6a783fb1d3163e60d53b8714a394d78ff4322d5079bd8d5fb86076aad36ac90bb26c997f668277b5b60a5be78b775
-
SSDEEP
3072:GppBFTxhDHgq5hWD8J9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:G3T9h1hs8sDshsrtMsQB4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe -
Executes dropped EXE 64 IoCs
pid Process 2216 Qljkhe32.exe 2680 Amndem32.exe 2664 Aalmklfi.exe 2652 Abmibdlh.exe 2492 Abbbnchb.exe 2564 Bpfcgg32.exe 2988 Bkodhe32.exe 2284 Bnpmipql.exe 1624 Banepo32.exe 1708 Bjijdadm.exe 1960 Cjlgiqbk.exe 832 Cfbhnaho.exe 1424 Ccfhhffh.exe 2828 Comimg32.exe 2052 Ckdjbh32.exe 604 Clcflkic.exe 1460 Cndbcc32.exe 1940 Dodonf32.exe 448 Dhmcfkme.exe 1760 Dkkpbgli.exe 1676 Dgaqgh32.exe 992 Dnlidb32.exe 2916 Djbiicon.exe 1668 Dmafennb.exe 2316 Eihfjo32.exe 1756 Eqonkmdh.exe 2456 Emeopn32.exe 2888 Ekklaj32.exe 2732 Egamfkdh.exe 2696 Eajaoq32.exe 2256 Egdilkbf.exe 2700 Ennaieib.exe 2612 Fmcoja32.exe 3040 Fjgoce32.exe 2044 Faagpp32.exe 2228 Fmhheqje.exe 2424 Fdapak32.exe 1964 Fjlhneio.exe 2876 Fddmgjpo.exe 1564 Gpknlk32.exe 1272 Gicbeald.exe 1084 Gieojq32.exe 536 Gkgkbipp.exe 380 Gelppaof.exe 2324 Gkihhhnm.exe 2152 Goddhg32.exe 340 Geolea32.exe 1148 Ghmiam32.exe 1212 Gogangdc.exe 2464 Gmjaic32.exe 2296 Gddifnbk.exe 2300 Hknach32.exe 2892 Hmlnoc32.exe 2248 Hpkjko32.exe 2692 Hkpnhgge.exe 2900 Hnojdcfi.exe 2748 Hdhbam32.exe 2864 Hggomh32.exe 2996 Hnagjbdf.exe 1872 Hobcak32.exe 1916 Hjhhocjj.exe 1636 Hpapln32.exe 2964 Hacmcfge.exe 1544 Hjjddchg.exe -
Loads dropped DLL 64 IoCs
pid Process 1440 07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe 1440 07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe 2216 Qljkhe32.exe 2216 Qljkhe32.exe 2680 Amndem32.exe 2680 Amndem32.exe 2664 Aalmklfi.exe 2664 Aalmklfi.exe 2652 Abmibdlh.exe 2652 Abmibdlh.exe 2492 Abbbnchb.exe 2492 Abbbnchb.exe 2564 Bpfcgg32.exe 2564 Bpfcgg32.exe 2988 Bkodhe32.exe 2988 Bkodhe32.exe 2284 Bnpmipql.exe 2284 Bnpmipql.exe 1624 Banepo32.exe 1624 Banepo32.exe 1708 Bjijdadm.exe 1708 Bjijdadm.exe 1960 Cjlgiqbk.exe 1960 Cjlgiqbk.exe 832 Cfbhnaho.exe 832 Cfbhnaho.exe 1424 Ccfhhffh.exe 1424 Ccfhhffh.exe 2828 Comimg32.exe 2828 Comimg32.exe 2052 Ckdjbh32.exe 2052 Ckdjbh32.exe 604 Clcflkic.exe 604 Clcflkic.exe 1460 Cndbcc32.exe 1460 Cndbcc32.exe 1940 Dodonf32.exe 1940 Dodonf32.exe 448 Dhmcfkme.exe 448 Dhmcfkme.exe 1760 Dkkpbgli.exe 1760 Dkkpbgli.exe 1676 Dgaqgh32.exe 1676 Dgaqgh32.exe 992 Dnlidb32.exe 992 Dnlidb32.exe 2916 Djbiicon.exe 2916 Djbiicon.exe 1668 Dmafennb.exe 1668 Dmafennb.exe 2316 Eihfjo32.exe 2316 Eihfjo32.exe 1756 Eqonkmdh.exe 1756 Eqonkmdh.exe 1688 Eilpeooq.exe 1688 Eilpeooq.exe 2888 Ekklaj32.exe 2888 Ekklaj32.exe 2732 Egamfkdh.exe 2732 Egamfkdh.exe 2696 Eajaoq32.exe 2696 Eajaoq32.exe 2256 Egdilkbf.exe 2256 Egdilkbf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egdilkbf.exe Eajaoq32.exe File created C:\Windows\SysWOW64\Pdpfph32.dll Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lbeknj32.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File opened for modification C:\Windows\SysWOW64\Nnennj32.exe Nkgbbo32.exe File opened for modification C:\Windows\SysWOW64\Anafhopc.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Djbiicon.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Igkdgk32.exe Idmhkpml.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mhgmapfi.exe File created C:\Windows\SysWOW64\Pgplkb32.exe Pfoocjfd.exe File created C:\Windows\SysWOW64\Ahlgfdeq.exe Aaaoij32.exe File created C:\Windows\SysWOW64\Ekklaj32.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Goddhg32.exe File created C:\Windows\SysWOW64\Pefijfii.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Pnajilng.exe File created C:\Windows\SysWOW64\Dkkpbgli.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Fdapak32.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Jmjjea32.exe Jfqahgpg.exe File created C:\Windows\SysWOW64\Mpfkqb32.exe Mgnfhlin.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Mhbped32.exe File created C:\Windows\SysWOW64\Ekjajfei.dll Bldcpf32.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Blgpef32.exe File created C:\Windows\SysWOW64\Hogmmjfo.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Maoajf32.exe File created C:\Windows\SysWOW64\Iqfmng32.dll Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Lollckbk.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Ahlgfdeq.exe File created C:\Windows\SysWOW64\Ejobhppq.exe Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Amkoie32.dll Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Bpbbfi32.dll Endhhp32.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Ekklaj32.exe File created C:\Windows\SysWOW64\Nclpan32.dll Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Lldlqakb.exe Kjcpii32.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jofiln32.exe File created C:\Windows\SysWOW64\Mhbped32.exe Mgqcmlgl.exe File opened for modification C:\Windows\SysWOW64\Biamilfj.exe Bpiipf32.exe File created C:\Windows\SysWOW64\Aafminbq.dll Bmpfojmp.exe File created C:\Windows\SysWOW64\Fgpimg32.dll Bghjhp32.exe File created C:\Windows\SysWOW64\Inqcif32.exe Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Jifdebic.exe Jbllihbf.exe File created C:\Windows\SysWOW64\Lflmci32.exe Llfifq32.exe File created C:\Windows\SysWOW64\Obojhlbq.exe Oopnlacm.exe File created C:\Windows\SysWOW64\Bjijdadm.exe Banepo32.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Fdapak32.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Eihfjo32.exe Dmafennb.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mhbped32.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Fpkeqmgm.dll Pfoocjfd.exe File opened for modification C:\Windows\SysWOW64\Cklmgb32.exe Ceodnl32.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Djmicm32.exe File created C:\Windows\SysWOW64\Nlfgbn32.dll Idklfpon.exe File created C:\Windows\SysWOW64\Kiccofna.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Dqehhb32.dll Mppepcfg.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Ncgdbmmp.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Ckafbbph.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3464 3424 WerFault.exe 256 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqmbdn32.dll" Lemaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijmee32.dll" Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbpkign.dll" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnlkbne.dll" Lbeknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifdebic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifone32.dll" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbgmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgogk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhccm32.dll" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgecelp.dll" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kahojc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokkjm32.dll" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqehhb32.dll" Mppepcfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblqijln.dll" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhdd32.dll" Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2216 1440 07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe 28 PID 1440 wrote to memory of 2216 1440 07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe 28 PID 1440 wrote to memory of 2216 1440 07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe 28 PID 1440 wrote to memory of 2216 1440 07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe 28 PID 2216 wrote to memory of 2680 2216 Qljkhe32.exe 29 PID 2216 wrote to memory of 2680 2216 Qljkhe32.exe 29 PID 2216 wrote to memory of 2680 2216 Qljkhe32.exe 29 PID 2216 wrote to memory of 2680 2216 Qljkhe32.exe 29 PID 2680 wrote to memory of 2664 2680 Amndem32.exe 30 PID 2680 wrote to memory of 2664 2680 Amndem32.exe 30 PID 2680 wrote to memory of 2664 2680 Amndem32.exe 30 PID 2680 wrote to memory of 2664 2680 Amndem32.exe 30 PID 2664 wrote to memory of 2652 2664 Aalmklfi.exe 31 PID 2664 wrote to memory of 2652 2664 Aalmklfi.exe 31 PID 2664 wrote to memory of 2652 2664 Aalmklfi.exe 31 PID 2664 wrote to memory of 2652 2664 Aalmklfi.exe 31 PID 2652 wrote to memory of 2492 2652 Abmibdlh.exe 32 PID 2652 wrote to memory of 2492 2652 Abmibdlh.exe 32 PID 2652 wrote to memory of 2492 2652 Abmibdlh.exe 32 PID 2652 wrote to memory of 2492 2652 Abmibdlh.exe 32 PID 2492 wrote to memory of 2564 2492 Abbbnchb.exe 33 PID 2492 wrote to memory of 2564 2492 Abbbnchb.exe 33 PID 2492 wrote to memory of 2564 2492 Abbbnchb.exe 33 PID 2492 wrote to memory of 2564 2492 Abbbnchb.exe 33 PID 2564 wrote to memory of 2988 2564 Bpfcgg32.exe 34 PID 2564 wrote to memory of 2988 2564 Bpfcgg32.exe 34 PID 2564 wrote to memory of 2988 2564 Bpfcgg32.exe 34 PID 2564 wrote to memory of 2988 2564 Bpfcgg32.exe 34 PID 2988 wrote to memory of 2284 2988 Bkodhe32.exe 35 PID 2988 wrote to memory of 2284 2988 Bkodhe32.exe 35 PID 2988 wrote to memory of 2284 2988 Bkodhe32.exe 35 PID 2988 wrote to memory of 2284 2988 Bkodhe32.exe 35 PID 2284 wrote to memory of 1624 2284 Bnpmipql.exe 36 PID 2284 wrote to memory of 1624 2284 Bnpmipql.exe 36 PID 2284 wrote to memory of 1624 2284 Bnpmipql.exe 36 PID 2284 wrote to memory of 1624 2284 Bnpmipql.exe 36 PID 1624 wrote to memory of 1708 1624 Banepo32.exe 37 PID 1624 wrote to memory of 1708 1624 Banepo32.exe 37 PID 1624 wrote to memory of 1708 1624 Banepo32.exe 37 PID 1624 wrote to memory of 1708 1624 Banepo32.exe 37 PID 1708 wrote to memory of 1960 1708 Bjijdadm.exe 38 PID 1708 wrote to memory of 1960 1708 Bjijdadm.exe 38 PID 1708 wrote to memory of 1960 1708 Bjijdadm.exe 38 PID 1708 wrote to memory of 1960 1708 Bjijdadm.exe 38 PID 1960 wrote to memory of 832 1960 Cjlgiqbk.exe 39 PID 1960 wrote to memory of 832 1960 Cjlgiqbk.exe 39 PID 1960 wrote to memory of 832 1960 Cjlgiqbk.exe 39 PID 1960 wrote to memory of 832 1960 Cjlgiqbk.exe 39 PID 832 wrote to memory of 1424 832 Cfbhnaho.exe 40 PID 832 wrote to memory of 1424 832 Cfbhnaho.exe 40 PID 832 wrote to memory of 1424 832 Cfbhnaho.exe 40 PID 832 wrote to memory of 1424 832 Cfbhnaho.exe 40 PID 1424 wrote to memory of 2828 1424 Ccfhhffh.exe 41 PID 1424 wrote to memory of 2828 1424 Ccfhhffh.exe 41 PID 1424 wrote to memory of 2828 1424 Ccfhhffh.exe 41 PID 1424 wrote to memory of 2828 1424 Ccfhhffh.exe 41 PID 2828 wrote to memory of 2052 2828 Comimg32.exe 42 PID 2828 wrote to memory of 2052 2828 Comimg32.exe 42 PID 2828 wrote to memory of 2052 2828 Comimg32.exe 42 PID 2828 wrote to memory of 2052 2828 Comimg32.exe 42 PID 2052 wrote to memory of 604 2052 Ckdjbh32.exe 43 PID 2052 wrote to memory of 604 2052 Ckdjbh32.exe 43 PID 2052 wrote to memory of 604 2052 Ckdjbh32.exe 43 PID 2052 wrote to memory of 604 2052 Ckdjbh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\07ee4397c5632671e1d6f0de171e2cc1b48a07548fff20505c98fca051e41200_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe28⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe29⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe40⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe43⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe46⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe49⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe51⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe53⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe54⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe55⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe56⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe57⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe60⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe61⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe62⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe64⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe67⤵PID:2924
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe70⤵PID:276
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe71⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe72⤵PID:1616
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe73⤵PID:2444
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe74⤵PID:2224
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe76⤵PID:1704
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe79⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe81⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe83⤵PID:1516
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe86⤵
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe88⤵PID:1824
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe91⤵PID:544
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe92⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe95⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe96⤵PID:2784
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe97⤵PID:1712
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe98⤵PID:1620
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe99⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe101⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe102⤵PID:264
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe103⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe105⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe106⤵PID:1696
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe107⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe109⤵PID:2752
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe110⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe111⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe112⤵PID:2844
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe113⤵PID:2816
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe114⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe115⤵PID:2060
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe118⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe119⤵PID:1776
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe120⤵
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe121⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-