Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 10:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe
-
Size
80KB
-
MD5
6cb100630eb5af855b6ba150cd4416a0
-
SHA1
703229951a348575c8a8875d01b5fe5ed2ed9ada
-
SHA256
5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36
-
SHA512
46a3e5222bd3eaf4b88dd4bd0afabb44b5e511841fdc280d16acdbe574a66be018e46bc01cfefd2db5d38102ea376dc96d27a385c98207a8a1f960cc2e6bc944
-
SSDEEP
1536:PESCVZbj0xM+I4OYjv2+DQOBJG8Eg2LamaIZTJ+7LhkiB0:KbjCjli57RZaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpfkqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoocjfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidoim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajcde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdogl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2588 Ncancbha.exe 2596 Nmjblg32.exe 2668 Nbfjdn32.exe 2432 Ohqbqhde.exe 2124 Okoomd32.exe 2520 Onmkio32.exe 1104 Odgcfijj.exe 2932 Ogfpbeim.exe 2584 Obkdonic.exe 2372 Oqndkj32.exe 1536 Okchhc32.exe 320 Onbddoog.exe 2016 Oelmai32.exe 2144 Okfencna.exe 2252 Omgaek32.exe 780 Oenifh32.exe 2824 Ogmfbd32.exe 2356 Ongnonkb.exe 3060 Pccfge32.exe 3048 Pgobhcac.exe 1688 Paggai32.exe 700 Pbiciana.exe 1672 Pjpkjond.exe 2340 Piblek32.exe 1516 Ppmdbe32.exe 1528 Pbkpna32.exe 2528 Pmqdkj32.exe 2636 Plcdgfbo.exe 2204 Pnbacbac.exe 2768 Pelipl32.exe 2472 Pbpjiphi.exe 2908 Pabjem32.exe 2764 Pijbfj32.exe 2888 Qnfjna32.exe 2460 Qeqbkkej.exe 1544 Qhooggdn.exe 1768 Qjmkcbcb.exe 112 Qmlgonbe.exe 1952 Qagcpljo.exe 1956 Ahakmf32.exe 1856 Afdlhchf.exe 2064 Aplpai32.exe 1412 Ahchbf32.exe 1400 Affhncfc.exe 1464 Aalmklfi.exe 1976 Adjigg32.exe 1700 Afiecb32.exe 1540 Aigaon32.exe 752 Ambmpmln.exe 2844 Apajlhka.exe 2976 Admemg32.exe 2216 Aenbdoii.exe 2552 Aiinen32.exe 2700 Amejeljk.exe 2564 Alhjai32.exe 2904 Afmonbqk.exe 2752 Aepojo32.exe 2928 Ailkjmpo.exe 2384 Aljgfioc.exe 1584 Boiccdnf.exe 2776 Bbdocc32.exe 1680 Bagpopmj.exe 1936 Bingpmnl.exe 2644 Blmdlhmp.exe -
Loads dropped DLL 64 IoCs
pid Process 2148 5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe 2148 5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe 2588 Ncancbha.exe 2588 Ncancbha.exe 2596 Nmjblg32.exe 2596 Nmjblg32.exe 2668 Nbfjdn32.exe 2668 Nbfjdn32.exe 2432 Ohqbqhde.exe 2432 Ohqbqhde.exe 2124 Okoomd32.exe 2124 Okoomd32.exe 2520 Onmkio32.exe 2520 Onmkio32.exe 1104 Odgcfijj.exe 1104 Odgcfijj.exe 2932 Ogfpbeim.exe 2932 Ogfpbeim.exe 2584 Obkdonic.exe 2584 Obkdonic.exe 2372 Oqndkj32.exe 2372 Oqndkj32.exe 1536 Okchhc32.exe 1536 Okchhc32.exe 320 Onbddoog.exe 320 Onbddoog.exe 2016 Oelmai32.exe 2016 Oelmai32.exe 2144 Okfencna.exe 2144 Okfencna.exe 2252 Omgaek32.exe 2252 Omgaek32.exe 780 Oenifh32.exe 780 Oenifh32.exe 2824 Ogmfbd32.exe 2824 Ogmfbd32.exe 2356 Ongnonkb.exe 2356 Ongnonkb.exe 3060 Pccfge32.exe 3060 Pccfge32.exe 3048 Pgobhcac.exe 3048 Pgobhcac.exe 1688 Paggai32.exe 1688 Paggai32.exe 700 Pbiciana.exe 700 Pbiciana.exe 1672 Pjpkjond.exe 1672 Pjpkjond.exe 2340 Piblek32.exe 2340 Piblek32.exe 1516 Ppmdbe32.exe 1516 Ppmdbe32.exe 1528 Pbkpna32.exe 1528 Pbkpna32.exe 2528 Pmqdkj32.exe 2528 Pmqdkj32.exe 2636 Plcdgfbo.exe 2636 Plcdgfbo.exe 2204 Pnbacbac.exe 2204 Pnbacbac.exe 2768 Pelipl32.exe 2768 Pelipl32.exe 2472 Pbpjiphi.exe 2472 Pbpjiphi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bopicc32.exe Bghabf32.exe File created C:\Windows\SysWOW64\Ghkdol32.dll Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Amhpnkch.exe Ajjcbpdd.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Maodqp32.dll Jfcnngnd.exe File created C:\Windows\SysWOW64\Dmpknpme.dll Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Ofelmloo.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Bpnbkeld.exe File created C:\Windows\SysWOW64\Hqddgc32.dll Ahchbf32.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Joplbl32.exe Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Kafbec32.exe Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe Eihfjo32.exe File opened for modification C:\Windows\SysWOW64\Elmigj32.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Ocnfbo32.exe Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Bidjnkdg.exe Behnnm32.exe File created C:\Windows\SysWOW64\Gqncakcq.dll Logbhl32.exe File created C:\Windows\SysWOW64\Hmlnoc32.exe Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Kaaijdgn.exe Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kkijmm32.exe File created C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Clkmne32.dll Fidoim32.exe File created C:\Windows\SysWOW64\Apmabnaj.dll Pflomnkb.exe File created C:\Windows\SysWOW64\Fjdbnf32.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe File opened for modification C:\Windows\SysWOW64\Kfgdhjmk.exe Kcihlong.exe File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Lhmjkaoc.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Clilkfnb.exe Chnqkg32.exe File created C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File opened for modification C:\Windows\SysWOW64\Ppmdbe32.exe Piblek32.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gbkgnfbd.exe File created C:\Windows\SysWOW64\Lecgje32.exe Lbeknj32.exe File opened for modification C:\Windows\SysWOW64\Mgimmm32.exe Mhgmapfi.exe File created C:\Windows\SysWOW64\Cmeabq32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Dngoibmo.exe Dodonf32.exe File created C:\Windows\SysWOW64\Fejgko32.exe Faokjpfd.exe File created C:\Windows\SysWOW64\Meccii32.exe Mgqcmlgl.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe Eloemi32.exe File opened for modification C:\Windows\SysWOW64\Egoife32.exe Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Enakbp32.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Nncahjgl.exe File opened for modification C:\Windows\SysWOW64\Aefeijle.exe Afcenm32.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Kclhicjn.dll Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File created C:\Windows\SysWOW64\Ofjfhk32.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Eibbcm32.exe Efcfga32.exe File created C:\Windows\SysWOW64\Pjgjmd32.dll Oelmai32.exe File created C:\Windows\SysWOW64\Gdopkn32.exe Gelppaof.exe File created C:\Windows\SysWOW64\Poaljn32.dll Odgcfijj.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Aoipdkgg.dll Bdlblj32.exe File created C:\Windows\SysWOW64\Gapiomln.dll Jfqahgpg.exe File created C:\Windows\SysWOW64\Dbhnhp32.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bopicc32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Ebgacddo.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File created C:\Windows\SysWOW64\Aefeijle.exe Afcenm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6308 6280 WerFault.exe 625 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmahdggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maodqp32.dll" Jfcnngnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifdebic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgaqgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gopkmhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojebabb.dll" Apimacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pabjem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnhkk32.dll" Pgobhcac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnojdcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamcl32.dll" Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhqkpcf.dll" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmicaonb.dll" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdamlbjc.dll" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgcddkm.dll" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijgdngmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdfmnkb.dll" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2588 2148 5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe 28 PID 2148 wrote to memory of 2588 2148 5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe 28 PID 2148 wrote to memory of 2588 2148 5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe 28 PID 2148 wrote to memory of 2588 2148 5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe 28 PID 2588 wrote to memory of 2596 2588 Ncancbha.exe 29 PID 2588 wrote to memory of 2596 2588 Ncancbha.exe 29 PID 2588 wrote to memory of 2596 2588 Ncancbha.exe 29 PID 2588 wrote to memory of 2596 2588 Ncancbha.exe 29 PID 2596 wrote to memory of 2668 2596 Nmjblg32.exe 30 PID 2596 wrote to memory of 2668 2596 Nmjblg32.exe 30 PID 2596 wrote to memory of 2668 2596 Nmjblg32.exe 30 PID 2596 wrote to memory of 2668 2596 Nmjblg32.exe 30 PID 2668 wrote to memory of 2432 2668 Nbfjdn32.exe 31 PID 2668 wrote to memory of 2432 2668 Nbfjdn32.exe 31 PID 2668 wrote to memory of 2432 2668 Nbfjdn32.exe 31 PID 2668 wrote to memory of 2432 2668 Nbfjdn32.exe 31 PID 2432 wrote to memory of 2124 2432 Ohqbqhde.exe 32 PID 2432 wrote to memory of 2124 2432 Ohqbqhde.exe 32 PID 2432 wrote to memory of 2124 2432 Ohqbqhde.exe 32 PID 2432 wrote to memory of 2124 2432 Ohqbqhde.exe 32 PID 2124 wrote to memory of 2520 2124 Okoomd32.exe 33 PID 2124 wrote to memory of 2520 2124 Okoomd32.exe 33 PID 2124 wrote to memory of 2520 2124 Okoomd32.exe 33 PID 2124 wrote to memory of 2520 2124 Okoomd32.exe 33 PID 2520 wrote to memory of 1104 2520 Onmkio32.exe 34 PID 2520 wrote to memory of 1104 2520 Onmkio32.exe 34 PID 2520 wrote to memory of 1104 2520 Onmkio32.exe 34 PID 2520 wrote to memory of 1104 2520 Onmkio32.exe 34 PID 1104 wrote to memory of 2932 1104 Odgcfijj.exe 35 PID 1104 wrote to memory of 2932 1104 Odgcfijj.exe 35 PID 1104 wrote to memory of 2932 1104 Odgcfijj.exe 35 PID 1104 wrote to memory of 2932 1104 Odgcfijj.exe 35 PID 2932 wrote to memory of 2584 2932 Ogfpbeim.exe 36 PID 2932 wrote to memory of 2584 2932 Ogfpbeim.exe 36 PID 2932 wrote to memory of 2584 2932 Ogfpbeim.exe 36 PID 2932 wrote to memory of 2584 2932 Ogfpbeim.exe 36 PID 2584 wrote to memory of 2372 2584 Obkdonic.exe 37 PID 2584 wrote to memory of 2372 2584 Obkdonic.exe 37 PID 2584 wrote to memory of 2372 2584 Obkdonic.exe 37 PID 2584 wrote to memory of 2372 2584 Obkdonic.exe 37 PID 2372 wrote to memory of 1536 2372 Oqndkj32.exe 38 PID 2372 wrote to memory of 1536 2372 Oqndkj32.exe 38 PID 2372 wrote to memory of 1536 2372 Oqndkj32.exe 38 PID 2372 wrote to memory of 1536 2372 Oqndkj32.exe 38 PID 1536 wrote to memory of 320 1536 Okchhc32.exe 39 PID 1536 wrote to memory of 320 1536 Okchhc32.exe 39 PID 1536 wrote to memory of 320 1536 Okchhc32.exe 39 PID 1536 wrote to memory of 320 1536 Okchhc32.exe 39 PID 320 wrote to memory of 2016 320 Onbddoog.exe 40 PID 320 wrote to memory of 2016 320 Onbddoog.exe 40 PID 320 wrote to memory of 2016 320 Onbddoog.exe 40 PID 320 wrote to memory of 2016 320 Onbddoog.exe 40 PID 2016 wrote to memory of 2144 2016 Oelmai32.exe 41 PID 2016 wrote to memory of 2144 2016 Oelmai32.exe 41 PID 2016 wrote to memory of 2144 2016 Oelmai32.exe 41 PID 2016 wrote to memory of 2144 2016 Oelmai32.exe 41 PID 2144 wrote to memory of 2252 2144 Okfencna.exe 42 PID 2144 wrote to memory of 2252 2144 Okfencna.exe 42 PID 2144 wrote to memory of 2252 2144 Okfencna.exe 42 PID 2144 wrote to memory of 2252 2144 Okfencna.exe 42 PID 2252 wrote to memory of 780 2252 Omgaek32.exe 43 PID 2252 wrote to memory of 780 2252 Omgaek32.exe 43 PID 2252 wrote to memory of 780 2252 Omgaek32.exe 43 PID 2252 wrote to memory of 780 2252 Omgaek32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5371b659334857ff29bf149f05ab317b20a1611873ff5526854f74ae34052f36_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe34⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe35⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe36⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe37⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe38⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe40⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe41⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe42⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe43⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe45⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe46⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe47⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe48⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe50⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe51⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe54⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe55⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe56⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe57⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe58⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe59⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe60⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe61⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe62⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe64⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe65⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe66⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe67⤵PID:776
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe68⤵
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe70⤵PID:2360
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe71⤵PID:1212
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe72⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe73⤵PID:2344
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe74⤵PID:1560
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe75⤵PID:2540
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe76⤵PID:2556
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe77⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe78⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe79⤵PID:1020
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe80⤵PID:2944
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe81⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe83⤵PID:1504
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe84⤵PID:2108
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe85⤵PID:1844
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe86⤵PID:488
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe87⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe88⤵PID:2368
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe89⤵PID:3032
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe90⤵PID:960
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe91⤵PID:1876
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe92⤵PID:1640
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe93⤵PID:1636
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe94⤵PID:2620
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe95⤵PID:2512
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe96⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe97⤵PID:2884
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe98⤵PID:852
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe99⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe100⤵PID:2192
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe101⤵PID:1904
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe102⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe103⤵PID:2268
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe104⤵
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe105⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe107⤵PID:2184
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe108⤵PID:3028
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe109⤵PID:1276
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe110⤵PID:2112
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe111⤵PID:2900
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe112⤵PID:1416
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe113⤵PID:2468
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe115⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe116⤵PID:2436
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe117⤵PID:452
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe118⤵PID:1296
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe119⤵PID:956
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe120⤵PID:3008
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe121⤵PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-