Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 23:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe
-
Size
365KB
-
MD5
31462f473e79e8e54a3ec1c3aa4959f0
-
SHA1
d9e87faf8e076d5e9073652e7f4b0a811568c061
-
SHA256
1405a4c0fbc2a3951cd61c021027279ceedf5b0438a0bb1453bc9fa5a747a787
-
SHA512
271e18a03939d30a3eb21c4bc5f292cb7ba5c247ba67ce0b7bef4f3008064b83e410d2697f78ca7e9bf2d8160950ad14998ea897aff3396d1dd691a5372f1edd
-
SSDEEP
6144:aTH4WaVv/EoR9K2J5HnEjoR9qCnNRyoR9K2J5HnEjoR9Q:aMWNK8k5HnoK7MK8k5HnoK2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlockkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgcfijj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbkddem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egoife32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgafdfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe -
Executes dropped EXE 64 IoCs
pid Process 3036 Nohnhc32.exe 2616 Ofbfdmeb.exe 3052 Okoomd32.exe 2428 Odgcfijj.exe 2416 Oicpfh32.exe 2224 Oomhcbjp.exe 2772 Oqndkj32.exe 2820 Obnqem32.exe 1584 Oelmai32.exe 2284 Ogjimd32.exe 2660 Ondajnme.exe 1184 Ocajbekl.exe 2056 Pminkk32.exe 2248 Pgobhcac.exe 1888 Pipopl32.exe 576 Paggai32.exe 2908 Pfdpip32.exe 2372 Piblek32.exe 2120 Pbkpna32.exe 3024 Peiljl32.exe 1460 Ppoqge32.exe 1572 Pbmmcq32.exe 1676 Pelipl32.exe 2268 Pigeqkai.exe 1636 Pndniaop.exe 2620 Pabjem32.exe 2516 Qlhnbf32.exe 2584 Qaefjm32.exe 2560 Qhooggdn.exe 2976 Qagcpljo.exe 2752 Ahakmf32.exe 2924 Afdlhchf.exe 1588 Amndem32.exe 2392 Aajpelhl.exe 2944 Ahchbf32.exe 2028 Ajbdna32.exe 2744 Apomfh32.exe 1652 Abmibdlh.exe 1056 Ajdadamj.exe 1748 Apajlhka.exe 2368 Abpfhcje.exe 2036 Amejeljk.exe 1632 Apcfahio.exe 1696 Abbbnchb.exe 280 Ailkjmpo.exe 340 Bpfcgg32.exe 2868 Bebkpn32.exe 1512 Bhahlj32.exe 2540 Bkodhe32.exe 1264 Bbflib32.exe 2888 Beehencq.exe 848 Bdhhqk32.exe 2608 Bloqah32.exe 276 Bkaqmeah.exe 2724 Bnpmipql.exe 2784 Balijo32.exe 1320 Bdjefj32.exe 988 Bhfagipa.exe 2656 Bkdmcdoe.exe 1212 Bnbjopoi.exe 1628 Banepo32.exe 2748 Bhhnli32.exe 1812 Bgknheej.exe 932 Bjijdadm.exe -
Loads dropped DLL 64 IoCs
pid Process 2088 31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe 2088 31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe 3036 Nohnhc32.exe 3036 Nohnhc32.exe 2616 Ofbfdmeb.exe 2616 Ofbfdmeb.exe 3052 Okoomd32.exe 3052 Okoomd32.exe 2428 Odgcfijj.exe 2428 Odgcfijj.exe 2416 Oicpfh32.exe 2416 Oicpfh32.exe 2224 Oomhcbjp.exe 2224 Oomhcbjp.exe 2772 Oqndkj32.exe 2772 Oqndkj32.exe 2820 Obnqem32.exe 2820 Obnqem32.exe 1584 Oelmai32.exe 1584 Oelmai32.exe 2284 Ogjimd32.exe 2284 Ogjimd32.exe 2660 Ondajnme.exe 2660 Ondajnme.exe 1184 Ocajbekl.exe 1184 Ocajbekl.exe 2056 Pminkk32.exe 2056 Pminkk32.exe 2248 Pgobhcac.exe 2248 Pgobhcac.exe 1888 Pipopl32.exe 1888 Pipopl32.exe 576 Paggai32.exe 576 Paggai32.exe 2908 Pfdpip32.exe 2908 Pfdpip32.exe 2372 Piblek32.exe 2372 Piblek32.exe 2120 Pbkpna32.exe 2120 Pbkpna32.exe 3024 Peiljl32.exe 3024 Peiljl32.exe 1460 Ppoqge32.exe 1460 Ppoqge32.exe 1572 Pbmmcq32.exe 1572 Pbmmcq32.exe 1676 Pelipl32.exe 1676 Pelipl32.exe 2268 Pigeqkai.exe 2268 Pigeqkai.exe 1636 Pndniaop.exe 1636 Pndniaop.exe 2620 Pabjem32.exe 2620 Pabjem32.exe 2516 Qlhnbf32.exe 2516 Qlhnbf32.exe 2584 Qaefjm32.exe 2584 Qaefjm32.exe 2560 Qhooggdn.exe 2560 Qhooggdn.exe 2976 Qagcpljo.exe 2976 Qagcpljo.exe 2752 Ahakmf32.exe 2752 Ahakmf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File created C:\Windows\SysWOW64\Bgmlpbdc.dll Pogclp32.exe File opened for modification C:\Windows\SysWOW64\Qlkdkd32.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Mdkmeh32.dll Igdogl32.exe File created C:\Windows\SysWOW64\Lnpbep32.dll Jjlnif32.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Aipddi32.exe File opened for modification C:\Windows\SysWOW64\Doehqead.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Ajfaqa32.dll Dhpiojfb.exe File created C:\Windows\SysWOW64\Gknfklng.dll Hggomh32.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Papfegmk.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bbflib32.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Bdhhqk32.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Ebodiofk.exe File created C:\Windows\SysWOW64\Ongdpbkl.dll Iokfhi32.exe File opened for modification C:\Windows\SysWOW64\Aehboi32.exe Aamfnkai.exe File opened for modification C:\Windows\SysWOW64\Paggai32.exe Pipopl32.exe File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Igdogl32.exe Ihankokm.exe File created C:\Windows\SysWOW64\Jejhecaj.exe Jfghif32.exe File created C:\Windows\SysWOW64\Acahnedo.dll Onjgiiad.exe File created C:\Windows\SysWOW64\Bocolb32.exe Bhigphio.exe File created C:\Windows\SysWOW64\Cahail32.exe Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Inqcif32.exe Ikbgmj32.exe File created C:\Windows\SysWOW64\Phoccb32.dll Jbjochdi.exe File opened for modification C:\Windows\SysWOW64\Jbllihbf.exe Jnqphi32.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Odobjg32.exe Ofmbnkhg.exe File created C:\Windows\SysWOW64\Jcpclc32.dll Pefijfii.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Emnndlod.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cljcelan.exe File created C:\Windows\SysWOW64\Jdekadnf.dll Jnemdecl.exe File opened for modification C:\Windows\SysWOW64\Loeebl32.exe Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Emnndlod.exe Eibbcm32.exe File opened for modification C:\Windows\SysWOW64\Effcma32.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Logbhl32.exe Lpdbloof.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qedhdjnh.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Aidnohbk.exe Aidnohbk.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Afohaa32.exe File created C:\Windows\SysWOW64\Gojbjm32.dll Ccahbp32.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jjojofgn.exe File opened for modification C:\Windows\SysWOW64\Keoapb32.exe Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Amejeljk.exe Abpfhcje.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eajaoq32.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Efkdgmla.dll Aehboi32.exe File created C:\Windows\SysWOW64\Lnfhlh32.dll Cjdfmo32.exe File created C:\Windows\SysWOW64\Najgne32.dll Eplkpgnh.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Kgkafo32.exe Kihqkagp.exe File created C:\Windows\SysWOW64\Abhimnma.exe Alnqqd32.exe File created C:\Windows\SysWOW64\Dogefd32.exe Dpeekh32.exe File opened for modification C:\Windows\SysWOW64\Ecqqpgli.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Dakmkaok.dll Olpdjf32.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Amndem32.exe File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bkodhe32.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Glfhll32.exe File created C:\Windows\SysWOW64\Bibkki32.dll Leajdfnm.exe File opened for modification C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6300 6276 WerFault.exe 586 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgogg32.dll" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjbkk32.dll" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doffod32.dll" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpolo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdadamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hlcgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmahkol.dll" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bioqclil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Apomfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpanefm.dll" Kbqecg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lliflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmkhb32.dll" Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll" Moiklogi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqphdm32.dll" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclpan32.dll" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqmicng.dll" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlhkl32.dll" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Cdakgibq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 3036 2088 31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 3036 2088 31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 3036 2088 31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 3036 2088 31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe 28 PID 3036 wrote to memory of 2616 3036 Nohnhc32.exe 29 PID 3036 wrote to memory of 2616 3036 Nohnhc32.exe 29 PID 3036 wrote to memory of 2616 3036 Nohnhc32.exe 29 PID 3036 wrote to memory of 2616 3036 Nohnhc32.exe 29 PID 2616 wrote to memory of 3052 2616 Ofbfdmeb.exe 30 PID 2616 wrote to memory of 3052 2616 Ofbfdmeb.exe 30 PID 2616 wrote to memory of 3052 2616 Ofbfdmeb.exe 30 PID 2616 wrote to memory of 3052 2616 Ofbfdmeb.exe 30 PID 3052 wrote to memory of 2428 3052 Okoomd32.exe 31 PID 3052 wrote to memory of 2428 3052 Okoomd32.exe 31 PID 3052 wrote to memory of 2428 3052 Okoomd32.exe 31 PID 3052 wrote to memory of 2428 3052 Okoomd32.exe 31 PID 2428 wrote to memory of 2416 2428 Odgcfijj.exe 32 PID 2428 wrote to memory of 2416 2428 Odgcfijj.exe 32 PID 2428 wrote to memory of 2416 2428 Odgcfijj.exe 32 PID 2428 wrote to memory of 2416 2428 Odgcfijj.exe 32 PID 2416 wrote to memory of 2224 2416 Oicpfh32.exe 33 PID 2416 wrote to memory of 2224 2416 Oicpfh32.exe 33 PID 2416 wrote to memory of 2224 2416 Oicpfh32.exe 33 PID 2416 wrote to memory of 2224 2416 Oicpfh32.exe 33 PID 2224 wrote to memory of 2772 2224 Oomhcbjp.exe 34 PID 2224 wrote to memory of 2772 2224 Oomhcbjp.exe 34 PID 2224 wrote to memory of 2772 2224 Oomhcbjp.exe 34 PID 2224 wrote to memory of 2772 2224 Oomhcbjp.exe 34 PID 2772 wrote to memory of 2820 2772 Oqndkj32.exe 35 PID 2772 wrote to memory of 2820 2772 Oqndkj32.exe 35 PID 2772 wrote to memory of 2820 2772 Oqndkj32.exe 35 PID 2772 wrote to memory of 2820 2772 Oqndkj32.exe 35 PID 2820 wrote to memory of 1584 2820 Obnqem32.exe 36 PID 2820 wrote to memory of 1584 2820 Obnqem32.exe 36 PID 2820 wrote to memory of 1584 2820 Obnqem32.exe 36 PID 2820 wrote to memory of 1584 2820 Obnqem32.exe 36 PID 1584 wrote to memory of 2284 1584 Oelmai32.exe 37 PID 1584 wrote to memory of 2284 1584 Oelmai32.exe 37 PID 1584 wrote to memory of 2284 1584 Oelmai32.exe 37 PID 1584 wrote to memory of 2284 1584 Oelmai32.exe 37 PID 2284 wrote to memory of 2660 2284 Ogjimd32.exe 38 PID 2284 wrote to memory of 2660 2284 Ogjimd32.exe 38 PID 2284 wrote to memory of 2660 2284 Ogjimd32.exe 38 PID 2284 wrote to memory of 2660 2284 Ogjimd32.exe 38 PID 2660 wrote to memory of 1184 2660 Ondajnme.exe 39 PID 2660 wrote to memory of 1184 2660 Ondajnme.exe 39 PID 2660 wrote to memory of 1184 2660 Ondajnme.exe 39 PID 2660 wrote to memory of 1184 2660 Ondajnme.exe 39 PID 1184 wrote to memory of 2056 1184 Ocajbekl.exe 40 PID 1184 wrote to memory of 2056 1184 Ocajbekl.exe 40 PID 1184 wrote to memory of 2056 1184 Ocajbekl.exe 40 PID 1184 wrote to memory of 2056 1184 Ocajbekl.exe 40 PID 2056 wrote to memory of 2248 2056 Pminkk32.exe 41 PID 2056 wrote to memory of 2248 2056 Pminkk32.exe 41 PID 2056 wrote to memory of 2248 2056 Pminkk32.exe 41 PID 2056 wrote to memory of 2248 2056 Pminkk32.exe 41 PID 2248 wrote to memory of 1888 2248 Pgobhcac.exe 42 PID 2248 wrote to memory of 1888 2248 Pgobhcac.exe 42 PID 2248 wrote to memory of 1888 2248 Pgobhcac.exe 42 PID 2248 wrote to memory of 1888 2248 Pgobhcac.exe 42 PID 1888 wrote to memory of 576 1888 Pipopl32.exe 43 PID 1888 wrote to memory of 576 1888 Pipopl32.exe 43 PID 1888 wrote to memory of 576 1888 Pipopl32.exe 43 PID 1888 wrote to memory of 576 1888 Pipopl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\31462f473e79e8e54a3ec1c3aa4959f0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe33⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe36⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe37⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe41⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe43⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe44⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe45⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe47⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe48⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe49⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe52⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe54⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe55⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe56⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe57⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe58⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe59⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe60⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe61⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe62⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe63⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe64⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe65⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe66⤵PID:812
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe67⤵PID:2992
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe68⤵PID:2532
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe69⤵PID:1672
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe71⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe72⤵PID:2580
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe73⤵PID:1432
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe74⤵PID:2936
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe75⤵PID:1956
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe76⤵PID:1412
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe77⤵PID:852
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe78⤵PID:2096
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe79⤵PID:1456
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe81⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe82⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe83⤵PID:2140
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe84⤵PID:2452
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe85⤵PID:2528
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe86⤵PID:1872
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe87⤵PID:1364
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe88⤵PID:1964
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe91⤵PID:1352
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe92⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe95⤵PID:2700
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe97⤵PID:2440
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe98⤵PID:2988
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe100⤵PID:2008
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe101⤵PID:3028
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe102⤵PID:1912
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe103⤵PID:1668
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe104⤵PID:2716
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe105⤵PID:2556
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe106⤵PID:1440
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe107⤵PID:1356
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe108⤵PID:948
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe109⤵PID:696
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe110⤵PID:1948
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe111⤵PID:2376
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe112⤵PID:2300
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe113⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe114⤵PID:2780
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe115⤵PID:2536
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe116⤵PID:2460
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe117⤵PID:1308
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe118⤵PID:2832
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe119⤵PID:2968
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe120⤵PID:2776
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe121⤵
- Modifies registry class
PID:764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-