Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 18:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe
-
Size
896KB
-
MD5
00b91f78cbeb13f39bac09ccec6a1730
-
SHA1
0e8eafb82c79ecd839e56168f496d0b8bd548995
-
SHA256
abc9a0dd3604a0081960615cf7c4d63fd6ee2b0d582c929307a51ce26d3f36f1
-
SHA512
9edf3dd6f9dd6088d1f882f57f0c2aca7d13ef929b062d45b01eb25ab3941a417589e02c2d5b184de5d338b7c95c380527118b30b531c71a46805e8ca47489d7
-
SSDEEP
12288:7h8bByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:lNvr4B9f01ZmQvrUENOVvr1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggkcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emjhmipi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmabmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffbmfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndbile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafedmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjbfhqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhcknpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogibnha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknimnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmhqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfihkoal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqnfkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjkehhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjpmkdpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpemob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embkbdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emceag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khpaidpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpceebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmloigln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckdpinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfpabkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oapcfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidpjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhgpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjboeenh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llainlje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Indnnfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfbpaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbclamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piieicgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmbabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfgkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahllda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gockgdeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqfabdaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhncclq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kheaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkqlgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keappgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egikle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalnmahf.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Pohfehdi.exe 2516 Pdldnomh.exe 2520 Qcqaok32.exe 2652 Afajafoa.exe 2428 Aibcba32.exe 2496 Aidphq32.exe 556 Abmdafpp.exe 2356 Ajhiei32.exe 1200 Agljom32.exe 2808 Badnhbce.exe 2320 Bmkomchi.exe 1440 Bjoofhgc.exe 2144 Bplhnoej.exe 1516 Blchcpko.exe 2016 Bekmle32.exe 1144 Bbonei32.exe 1436 Clgbno32.exe 2968 Cikbhc32.exe 1988 Cbdgqimc.exe 972 Cedpbd32.exe 1712 Gcokiaji.exe 1096 Hhhgcc32.exe 1316 Hhjcic32.exe 1344 Idadnd32.exe 1304 Iaeegh32.exe 2348 Ifampo32.exe 1572 Idfnicfl.exe 2844 Ilabmedg.exe 2956 Ieigfk32.exe 2508 Ioakoq32.exe 2784 Jhjphfgi.exe 2580 Jodhdp32.exe 2204 Jdaqmg32.exe 2420 Jaeafklf.exe 1972 Jkmeoa32.exe 1576 Jhafhe32.exe 2228 Jplkmgol.exe 3000 Jkbojpna.exe 1720 Kcmcoblm.exe 2716 Klehgh32.exe 2680 Kfnmpn32.exe 2952 Kcamjb32.exe 2044 Kljabgnh.exe 2304 Kbgjkn32.exe 1080 Kkoncdcp.exe 1112 Khcomhbi.exe 1992 Lblcfnhj.exe 2608 Lbnpkmfg.exe 1228 Ljieppcb.exe 3024 Lcaiiejc.exe 2460 Lohjnf32.exe 2972 Lcfbdd32.exe 2424 Mchoid32.exe 2492 Mfihkoal.exe 2284 Macilmnk.exe 1156 Mngjeamd.exe 2984 Nagbgl32.exe 2004 Nnkcpq32.exe 2400 Nhdhif32.exe 2332 Npolmh32.exe 2572 Nlfmbibo.exe 944 Nijnln32.exe 1484 Nfnneb32.exe 2996 Opfbngfb.exe -
Loads dropped DLL 64 IoCs
pid Process 1708 00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe 1708 00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe 3040 Pohfehdi.exe 3040 Pohfehdi.exe 2516 Pdldnomh.exe 2516 Pdldnomh.exe 2520 Qcqaok32.exe 2520 Qcqaok32.exe 2652 Afajafoa.exe 2652 Afajafoa.exe 2428 Aibcba32.exe 2428 Aibcba32.exe 2496 Aidphq32.exe 2496 Aidphq32.exe 556 Abmdafpp.exe 556 Abmdafpp.exe 2356 Ajhiei32.exe 2356 Ajhiei32.exe 1200 Agljom32.exe 1200 Agljom32.exe 2808 Badnhbce.exe 2808 Badnhbce.exe 2320 Bmkomchi.exe 2320 Bmkomchi.exe 1440 Bjoofhgc.exe 1440 Bjoofhgc.exe 2144 Bplhnoej.exe 2144 Bplhnoej.exe 1516 Blchcpko.exe 1516 Blchcpko.exe 2016 Bekmle32.exe 2016 Bekmle32.exe 1144 Bbonei32.exe 1144 Bbonei32.exe 1436 Clgbno32.exe 1436 Clgbno32.exe 2968 Cikbhc32.exe 2968 Cikbhc32.exe 1988 Cbdgqimc.exe 1988 Cbdgqimc.exe 972 Cedpbd32.exe 972 Cedpbd32.exe 1712 Gcokiaji.exe 1712 Gcokiaji.exe 1096 Hhhgcc32.exe 1096 Hhhgcc32.exe 1316 Hhjcic32.exe 1316 Hhjcic32.exe 1344 Idadnd32.exe 1344 Idadnd32.exe 1304 Iaeegh32.exe 1304 Iaeegh32.exe 2348 Ifampo32.exe 2348 Ifampo32.exe 1572 Idfnicfl.exe 1572 Idfnicfl.exe 2844 Ilabmedg.exe 2844 Ilabmedg.exe 2956 Ieigfk32.exe 2956 Ieigfk32.exe 2508 Ioakoq32.exe 2508 Ioakoq32.exe 2784 Jhjphfgi.exe 2784 Jhjphfgi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lbnaaeim.dll Joggci32.exe File opened for modification C:\Windows\SysWOW64\Mciabmlo.exe Mcfemmna.exe File opened for modification C:\Windows\SysWOW64\Fapgblob.exe Fiebnjbg.exe File created C:\Windows\SysWOW64\Ndcjglje.dll Hkbmil32.exe File created C:\Windows\SysWOW64\Fkjbpkag.exe Emceag32.exe File opened for modification C:\Windows\SysWOW64\Ppfomk32.exe Pdonhj32.exe File opened for modification C:\Windows\SysWOW64\Nmfbpk32.exe Napbjjom.exe File created C:\Windows\SysWOW64\Miglkjli.dll Jpcfih32.exe File created C:\Windows\SysWOW64\Hefhqhka.dll Nlfmbibo.exe File opened for modification C:\Windows\SysWOW64\Qnqjkh32.exe Ppkmjlca.exe File opened for modification C:\Windows\SysWOW64\Halcmn32.exe Hkbkpcpd.exe File created C:\Windows\SysWOW64\Gllnnc32.exe Fpemhb32.exe File opened for modification C:\Windows\SysWOW64\Jehpna32.exe Iiobcq32.exe File created C:\Windows\SysWOW64\Jgjkfi32.exe Jfjolf32.exe File opened for modification C:\Windows\SysWOW64\Mfpmbf32.exe Mcaafk32.exe File created C:\Windows\SysWOW64\Kbmfgk32.exe Jfdhmk32.exe File created C:\Windows\SysWOW64\Hfopbgif.dll Libjncnc.exe File created C:\Windows\SysWOW64\Agjlmh32.dll Ipdaek32.exe File opened for modification C:\Windows\SysWOW64\Ggmjkapi.exe Gqcaoghl.exe File opened for modification C:\Windows\SysWOW64\Lddagi32.exe Kcahjqfa.exe File created C:\Windows\SysWOW64\Jdhfppnm.dll Cicalakk.exe File created C:\Windows\SysWOW64\Goiongbc.exe Eegkpo32.exe File created C:\Windows\SysWOW64\Pbpifm32.dll Ikqnlh32.exe File created C:\Windows\SysWOW64\Dpkfnbja.dll Opodknco.exe File created C:\Windows\SysWOW64\Mmdjkhdh.exe Mggabaea.exe File opened for modification C:\Windows\SysWOW64\Eicpcm32.exe Djocbqpb.exe File created C:\Windows\SysWOW64\Cnnimkom.exe Chocodch.exe File opened for modification C:\Windows\SysWOW64\Lmcilp32.exe Lhfpdi32.exe File created C:\Windows\SysWOW64\Kpnend32.dll Phgfko32.exe File created C:\Windows\SysWOW64\Jpaood32.dll Lckbkfbb.exe File opened for modification C:\Windows\SysWOW64\Oclpdf32.exe Ojdlkp32.exe File created C:\Windows\SysWOW64\Eemjkkbq.dll Npolmh32.exe File created C:\Windows\SysWOW64\Piieicgl.exe Pndalkgf.exe File created C:\Windows\SysWOW64\Jpomnilc.exe Ijphqbpo.exe File created C:\Windows\SysWOW64\Ghhpkmjg.dll Fehmlh32.exe File created C:\Windows\SysWOW64\Hfjckino.dll Idkpganf.exe File created C:\Windows\SysWOW64\Dgoakpjn.exe Dodlfmlb.exe File opened for modification C:\Windows\SysWOW64\Eenabkfk.exe Epqhjdhc.exe File created C:\Windows\SysWOW64\Fifjgemj.dll Oclpdf32.exe File created C:\Windows\SysWOW64\Bplhnoej.exe Bjoofhgc.exe File created C:\Windows\SysWOW64\Bddbjhlp.exe Bjjaikoa.exe File opened for modification C:\Windows\SysWOW64\Iplnpq32.exe Innbde32.exe File created C:\Windows\SysWOW64\Lfingaaf.exe Lckbkfbb.exe File opened for modification C:\Windows\SysWOW64\Qackpado.exe Qobbofgn.exe File created C:\Windows\SysWOW64\Bfioia32.exe Bnknoogp.exe File opened for modification C:\Windows\SysWOW64\Hcnfjpib.exe Hfjfpkji.exe File created C:\Windows\SysWOW64\Okhgod32.exe Oapcfo32.exe File opened for modification C:\Windows\SysWOW64\Icjmpd32.exe Imqdcjkd.exe File created C:\Windows\SysWOW64\Aphdkpjd.dll Maldfbjn.exe File created C:\Windows\SysWOW64\Gdmbhnjj.exe Gmcikd32.exe File opened for modification C:\Windows\SysWOW64\Qiflohqk.exe Picojhcm.exe File created C:\Windows\SysWOW64\Aognbnkm.exe Aacmij32.exe File created C:\Windows\SysWOW64\Bdibjakn.dll Pccdqloh.exe File created C:\Windows\SysWOW64\Epfbbghh.dll Epqhjdhc.exe File opened for modification C:\Windows\SysWOW64\Ohnemidj.exe Oclpdf32.exe File opened for modification C:\Windows\SysWOW64\Glbaei32.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Cillcclg.dll Oiifcdhn.exe File created C:\Windows\SysWOW64\Hbidne32.exe Hmjoqo32.exe File created C:\Windows\SysWOW64\Bkpccb32.dll Kpfplo32.exe File created C:\Windows\SysWOW64\Jlpfci32.dll Clnehado.exe File created C:\Windows\SysWOW64\Embkbdce.exe Egebjmdn.exe File created C:\Windows\SysWOW64\Dlkqpg32.exe Dogpfc32.exe File created C:\Windows\SysWOW64\Cefkjiak.dll Gmmfaa32.exe File created C:\Windows\SysWOW64\Iidgma32.dll Hpkompgg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3552 2544 WerFault.exe 881 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmloigln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mibnje32.dll" Ieigfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllqqh32.dll" Lgfjggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmkcoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmlah32.dll" Pceqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkbkpcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onjgkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqplqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfodfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bchhqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pglclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhjcic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klehgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mngjeamd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmijfmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhbpk32.dll" Iagchmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ciknhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll" Khpaidpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbgjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpikik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oclpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbiahjpi.dll" Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbdjfbm.dll" Bgmnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemjdi32.dll" Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojpaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baealp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aidpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egkgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocbagqd.dll" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcfncko.dll" Ikocoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecogcf32.dll" Jdmfdgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkqlgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oafedmlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgaoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbocak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ailhedbj.dll" Idfnicfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjacjifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hmjoqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgoakpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambnnc32.dll" Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonkpi32.dll" Mblcin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolijfnc.dll" Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmlenl32.dll" Blnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iplnpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmjaadjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhdbb32.dll" Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklomf32.dll" Kjkehhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcbjm32.dll" Hjplao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnkcpq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 3040 1708 00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe 28 PID 1708 wrote to memory of 3040 1708 00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe 28 PID 1708 wrote to memory of 3040 1708 00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe 28 PID 1708 wrote to memory of 3040 1708 00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe 28 PID 3040 wrote to memory of 2516 3040 Pohfehdi.exe 29 PID 3040 wrote to memory of 2516 3040 Pohfehdi.exe 29 PID 3040 wrote to memory of 2516 3040 Pohfehdi.exe 29 PID 3040 wrote to memory of 2516 3040 Pohfehdi.exe 29 PID 2516 wrote to memory of 2520 2516 Pdldnomh.exe 30 PID 2516 wrote to memory of 2520 2516 Pdldnomh.exe 30 PID 2516 wrote to memory of 2520 2516 Pdldnomh.exe 30 PID 2516 wrote to memory of 2520 2516 Pdldnomh.exe 30 PID 2520 wrote to memory of 2652 2520 Qcqaok32.exe 31 PID 2520 wrote to memory of 2652 2520 Qcqaok32.exe 31 PID 2520 wrote to memory of 2652 2520 Qcqaok32.exe 31 PID 2520 wrote to memory of 2652 2520 Qcqaok32.exe 31 PID 2652 wrote to memory of 2428 2652 Afajafoa.exe 32 PID 2652 wrote to memory of 2428 2652 Afajafoa.exe 32 PID 2652 wrote to memory of 2428 2652 Afajafoa.exe 32 PID 2652 wrote to memory of 2428 2652 Afajafoa.exe 32 PID 2428 wrote to memory of 2496 2428 Aibcba32.exe 33 PID 2428 wrote to memory of 2496 2428 Aibcba32.exe 33 PID 2428 wrote to memory of 2496 2428 Aibcba32.exe 33 PID 2428 wrote to memory of 2496 2428 Aibcba32.exe 33 PID 2496 wrote to memory of 556 2496 Aidphq32.exe 34 PID 2496 wrote to memory of 556 2496 Aidphq32.exe 34 PID 2496 wrote to memory of 556 2496 Aidphq32.exe 34 PID 2496 wrote to memory of 556 2496 Aidphq32.exe 34 PID 556 wrote to memory of 2356 556 Abmdafpp.exe 35 PID 556 wrote to memory of 2356 556 Abmdafpp.exe 35 PID 556 wrote to memory of 2356 556 Abmdafpp.exe 35 PID 556 wrote to memory of 2356 556 Abmdafpp.exe 35 PID 2356 wrote to memory of 1200 2356 Ajhiei32.exe 36 PID 2356 wrote to memory of 1200 2356 Ajhiei32.exe 36 PID 2356 wrote to memory of 1200 2356 Ajhiei32.exe 36 PID 2356 wrote to memory of 1200 2356 Ajhiei32.exe 36 PID 1200 wrote to memory of 2808 1200 Agljom32.exe 37 PID 1200 wrote to memory of 2808 1200 Agljom32.exe 37 PID 1200 wrote to memory of 2808 1200 Agljom32.exe 37 PID 1200 wrote to memory of 2808 1200 Agljom32.exe 37 PID 2808 wrote to memory of 2320 2808 Badnhbce.exe 38 PID 2808 wrote to memory of 2320 2808 Badnhbce.exe 38 PID 2808 wrote to memory of 2320 2808 Badnhbce.exe 38 PID 2808 wrote to memory of 2320 2808 Badnhbce.exe 38 PID 2320 wrote to memory of 1440 2320 Bmkomchi.exe 39 PID 2320 wrote to memory of 1440 2320 Bmkomchi.exe 39 PID 2320 wrote to memory of 1440 2320 Bmkomchi.exe 39 PID 2320 wrote to memory of 1440 2320 Bmkomchi.exe 39 PID 1440 wrote to memory of 2144 1440 Bjoofhgc.exe 40 PID 1440 wrote to memory of 2144 1440 Bjoofhgc.exe 40 PID 1440 wrote to memory of 2144 1440 Bjoofhgc.exe 40 PID 1440 wrote to memory of 2144 1440 Bjoofhgc.exe 40 PID 2144 wrote to memory of 1516 2144 Bplhnoej.exe 41 PID 2144 wrote to memory of 1516 2144 Bplhnoej.exe 41 PID 2144 wrote to memory of 1516 2144 Bplhnoej.exe 41 PID 2144 wrote to memory of 1516 2144 Bplhnoej.exe 41 PID 1516 wrote to memory of 2016 1516 Blchcpko.exe 42 PID 1516 wrote to memory of 2016 1516 Blchcpko.exe 42 PID 1516 wrote to memory of 2016 1516 Blchcpko.exe 42 PID 1516 wrote to memory of 2016 1516 Blchcpko.exe 42 PID 2016 wrote to memory of 1144 2016 Bekmle32.exe 43 PID 2016 wrote to memory of 1144 2016 Bekmle32.exe 43 PID 2016 wrote to memory of 1144 2016 Bekmle32.exe 43 PID 2016 wrote to memory of 1144 2016 Bekmle32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\00b91f78cbeb13f39bac09ccec6a1730_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe33⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe34⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe35⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe36⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe38⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe39⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe40⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe42⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe43⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe44⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe46⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe47⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe48⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe49⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe50⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe51⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe52⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe53⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe54⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe58⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe60⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe63⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe64⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe65⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe66⤵PID:2192
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe67⤵PID:2824
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe68⤵PID:748
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe69⤵PID:2532
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe70⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe72⤵PID:1216
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe74⤵PID:872
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe75⤵
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe76⤵
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe77⤵PID:1804
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe78⤵PID:1308
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe79⤵PID:2236
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe80⤵PID:1660
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe81⤵PID:2648
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe82⤵PID:904
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe83⤵PID:2728
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe84⤵PID:2620
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe85⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe86⤵PID:3064
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe87⤵PID:1684
-
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe88⤵PID:1848
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe89⤵PID:920
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe90⤵PID:608
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe91⤵PID:1844
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe93⤵PID:3044
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe94⤵PID:1916
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe95⤵PID:800
-
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe96⤵PID:1088
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe97⤵PID:2892
-
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe102⤵PID:2540
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe103⤵PID:2896
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe104⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe105⤵PID:2596
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe106⤵PID:1644
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe107⤵PID:2064
-
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe108⤵PID:1864
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe109⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe110⤵PID:2992
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe111⤵PID:1592
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe112⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe113⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe114⤵PID:1248
-
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe115⤵PID:768
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe116⤵PID:1764
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe117⤵PID:1828
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe118⤵PID:2408
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe119⤵PID:1360
-
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe120⤵PID:2696
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe121⤵PID:672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-