Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 03:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe
-
Size
199KB
-
MD5
5d182d931378ce34db67c12b49041370
-
SHA1
c78aa3f38f2d91e00f973442c4f730da36fb8b16
-
SHA256
5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf
-
SHA512
b9285c931c6d7ff187c52c8b8222c432c5c99ffde2fa57673727c151cae924e42c6baa0adb42d2e1b379ea9ade1d5afd19248b8b24a545091684010de1c30d89
-
SSDEEP
6144:CkEjQGFSZSCZj81+jq4peBK034YOmFz1h:vrlZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmcoblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjqcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajmkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabfjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkaaolf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkhkgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfocnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggagmjbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhaeofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmgodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikldqile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpbmkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moenkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqeomfgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcgkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgebjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepfnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gamifcmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadcemm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcddlnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejoei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecnkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immjnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mioeeifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmffa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddcimag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpnaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magfjebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pilfpqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchdpbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgfmeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbfnchfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becpap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnmoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joebccpp.exe -
Executes dropped EXE 64 IoCs
pid Process 2200 Pkacpihj.exe 2588 Pnalad32.exe 2716 Qoeeolig.exe 2748 Amkbnp32.exe 2872 Abkhkgbb.exe 952 Aekqmbod.exe 2404 Aboaff32.exe 1264 Bccjdnbi.exe 2876 Bpjkiogm.exe 3012 Bjoofhgc.exe 2548 Bffpki32.exe 2168 Bcjqdmla.exe 2672 Bmbemb32.exe 1752 Chlfnp32.exe 2324 Cadjgf32.exe 524 Cbdgqimc.exe 1272 Dkfbfjdf.exe 2376 Dgoopkgh.exe 1792 Dcfpel32.exe 852 Degiggjm.exe 1880 Ekcaonhe.exe 1984 Egjbdo32.exe 1052 Ejmhkiig.exe 2968 Ecfldoph.exe 3040 Fchijone.exe 2128 Fqlicclo.exe 2136 Fdnolfon.exe 2280 Fbdlkj32.exe 1560 Findhdcb.exe 2636 Geeemeif.exe 2772 Gfhnjm32.exe 2520 Gfkkpmko.exe 2500 Hphidanj.exe 2556 Halbai32.exe 2584 Hbknkl32.exe 948 Hmeolj32.exe 1868 Hhjcic32.exe 2840 Idadnd32.exe 944 Ipjahd32.exe 1940 Ihhcbf32.exe 2408 Ielclkhe.exe 960 Jodhdp32.exe 684 Jaeafklf.exe 1112 Jhoice32.exe 2140 Jnkakl32.exe 984 Jnnnalph.exe 2312 Jdhgnf32.exe 1820 Jkbojpna.exe 764 Kcmcoblm.exe 2964 Kpadhg32.exe 2944 Khlili32.exe 2348 Kcamjb32.exe 1660 Kljabgnh.exe 2704 Kllnhg32.exe 2652 Kdhcli32.exe 2532 Lkakicam.exe 2664 Lqncaj32.exe 2516 Lbnpkmfg.exe 2308 Lneaqn32.exe 1980 Ldoimh32.exe 2836 Ljkaeo32.exe 2808 Lcdfnehp.exe 3000 Lqhfhigj.exe 596 Mjpkqonj.exe -
Loads dropped DLL 64 IoCs
pid Process 2244 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe 2244 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe 2200 Pkacpihj.exe 2200 Pkacpihj.exe 2588 Pnalad32.exe 2588 Pnalad32.exe 2716 Qoeeolig.exe 2716 Qoeeolig.exe 2748 Amkbnp32.exe 2748 Amkbnp32.exe 2872 Abkhkgbb.exe 2872 Abkhkgbb.exe 952 Aekqmbod.exe 952 Aekqmbod.exe 2404 Aboaff32.exe 2404 Aboaff32.exe 1264 Bccjdnbi.exe 1264 Bccjdnbi.exe 2876 Bpjkiogm.exe 2876 Bpjkiogm.exe 3012 Bjoofhgc.exe 3012 Bjoofhgc.exe 2548 Bffpki32.exe 2548 Bffpki32.exe 2168 Bcjqdmla.exe 2168 Bcjqdmla.exe 2672 Bmbemb32.exe 2672 Bmbemb32.exe 1752 Chlfnp32.exe 1752 Chlfnp32.exe 2324 Cadjgf32.exe 2324 Cadjgf32.exe 524 Cbdgqimc.exe 524 Cbdgqimc.exe 1272 Dkfbfjdf.exe 1272 Dkfbfjdf.exe 2376 Dgoopkgh.exe 2376 Dgoopkgh.exe 1792 Dcfpel32.exe 1792 Dcfpel32.exe 852 Degiggjm.exe 852 Degiggjm.exe 1880 Ekcaonhe.exe 1880 Ekcaonhe.exe 1984 Egjbdo32.exe 1984 Egjbdo32.exe 1052 Ejmhkiig.exe 1052 Ejmhkiig.exe 2968 Ecfldoph.exe 2968 Ecfldoph.exe 3040 Fchijone.exe 3040 Fchijone.exe 2128 Fqlicclo.exe 2128 Fqlicclo.exe 2136 Fdnolfon.exe 2136 Fdnolfon.exe 2280 Fbdlkj32.exe 2280 Fbdlkj32.exe 1560 Findhdcb.exe 1560 Findhdcb.exe 2636 Geeemeif.exe 2636 Geeemeif.exe 2772 Gfhnjm32.exe 2772 Gfhnjm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Peipigfb.dll Dgoopkgh.exe File created C:\Windows\SysWOW64\Nhfpnk32.dll Kcgphp32.exe File opened for modification C:\Windows\SysWOW64\Oggeokoq.exe Ogdhik32.exe File created C:\Windows\SysWOW64\Aeackjhh.dll Epcddopf.exe File created C:\Windows\SysWOW64\Gkbafe32.dll Maapjjml.exe File created C:\Windows\SysWOW64\Qqbhmi32.dll Panehkaj.exe File created C:\Windows\SysWOW64\Oheppe32.exe Oipcnieb.exe File created C:\Windows\SysWOW64\Plcied32.exe Panehkaj.exe File created C:\Windows\SysWOW64\Fcnkhmdp.exe Fjegog32.exe File opened for modification C:\Windows\SysWOW64\Fimoiopk.exe Fpdkpiik.exe File created C:\Windows\SysWOW64\Plpqim32.exe Pbglpg32.exe File opened for modification C:\Windows\SysWOW64\Gjjafkpe.exe Fpemhb32.exe File created C:\Windows\SysWOW64\Akeaja32.dll Dkblohek.exe File created C:\Windows\SysWOW64\Cmdfje32.dll Gdflgo32.exe File opened for modification C:\Windows\SysWOW64\Ijibng32.exe Hkdemk32.exe File created C:\Windows\SysWOW64\Necdin32.dll Clnehado.exe File created C:\Windows\SysWOW64\Kmnechcf.dll Elndpnnn.exe File created C:\Windows\SysWOW64\Camlob32.dll Gllpflng.exe File created C:\Windows\SysWOW64\Iplnpq32.exe Igcjgk32.exe File created C:\Windows\SysWOW64\Fdmfgfng.dll Jnkakl32.exe File created C:\Windows\SysWOW64\Ggagmjbq.exe Fepjea32.exe File opened for modification C:\Windows\SysWOW64\Akfnkmei.exe Adleoc32.exe File created C:\Windows\SysWOW64\Mmndfnpl.exe Magdam32.exe File created C:\Windows\SysWOW64\Fngooj32.dll Qjgcecja.exe File created C:\Windows\SysWOW64\Fhhofe32.dll Dpmgao32.exe File opened for modification C:\Windows\SysWOW64\Npmphinm.exe Nfdkoc32.exe File created C:\Windows\SysWOW64\Nfidjbdg.exe Nmqpam32.exe File created C:\Windows\SysWOW64\Cpiqmlfm.exe Cfpldf32.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fkcilc32.exe File created C:\Windows\SysWOW64\Igqcmh32.dll Hhlaiccm.exe File opened for modification C:\Windows\SysWOW64\Kkciic32.exe Kffqqm32.exe File opened for modification C:\Windows\SysWOW64\Jlnmel32.exe Jipaip32.exe File created C:\Windows\SysWOW64\Kbqebj32.dll Bedamd32.exe File opened for modification C:\Windows\SysWOW64\Clnehado.exe Cgqmpkfg.exe File created C:\Windows\SysWOW64\Hclhjpjc.exe Hjddaj32.exe File created C:\Windows\SysWOW64\Pgogla32.exe Pabncj32.exe File opened for modification C:\Windows\SysWOW64\Cadjgf32.exe Chlfnp32.exe File created C:\Windows\SysWOW64\Bodilc32.dll Kdphjm32.exe File opened for modification C:\Windows\SysWOW64\Mmpakm32.exe Mhcicf32.exe File opened for modification C:\Windows\SysWOW64\Kaglcgdc.exe Kgnkci32.exe File opened for modification C:\Windows\SysWOW64\Ahmefdcp.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Ogpjmn32.exe Omgfdhbq.exe File opened for modification C:\Windows\SysWOW64\Hmgodc32.exe Gdnkkmej.exe File created C:\Windows\SysWOW64\Lomglo32.exe Ljpnch32.exe File created C:\Windows\SysWOW64\Njjcip32.exe Nmfbpk32.exe File opened for modification C:\Windows\SysWOW64\Obgnhkkh.exe Obeacl32.exe File opened for modification C:\Windows\SysWOW64\Fpjaodmj.exe Emeobj32.exe File opened for modification C:\Windows\SysWOW64\Kmficl32.exe Kcmdjgbh.exe File created C:\Windows\SysWOW64\Lidilk32.exe Lbkaoalg.exe File opened for modification C:\Windows\SysWOW64\Bfmjoqoe.exe Biiiempl.exe File opened for modification C:\Windows\SysWOW64\Lnfmhj32.exe Lijepc32.exe File created C:\Windows\SysWOW64\Eqcjaa32.exe Ekfaij32.exe File created C:\Windows\SysWOW64\Jkofeknc.dll Mpmcielb.exe File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Pebpkk32.exe File created C:\Windows\SysWOW64\Qjmedhoe.dll Ncfjajma.exe File created C:\Windows\SysWOW64\Aepbmhpl.exe Qmenhe32.exe File opened for modification C:\Windows\SysWOW64\Jqeomfgc.exe Jjkfqlpf.exe File opened for modification C:\Windows\SysWOW64\Bjfpdf32.exe Admgglep.exe File opened for modification C:\Windows\SysWOW64\Hokhbj32.exe Hfbcidmk.exe File created C:\Windows\SysWOW64\Bkpccb32.dll Ldheebad.exe File created C:\Windows\SysWOW64\Jpbpbbdb.dll Jmdgipkk.exe File created C:\Windows\SysWOW64\Gelafcdj.dll Cdnncfoe.exe File opened for modification C:\Windows\SysWOW64\Gdhfdffl.exe Gibbgmfe.exe File created C:\Windows\SysWOW64\Pmhgba32.exe Ppdfimji.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2116 836 WerFault.exe 1004 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaciom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehlkfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfoboml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhbold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mobfgdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofglaipf.dll" Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkjgclg.dll" Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmooam32.dll" Mchokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklmdamd.dll" Blnpddeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajmfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqpbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfldbog.dll" Dpcnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgiogam.dll" Inhoegqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklago32.dll" Bfmjoqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipmqgmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqoebm32.dll" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkimpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhncclq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlqmmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kigibh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apfici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll" Mobaef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpqemll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcjqdmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inajahoe.dll" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdaaomdi.dll" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmecdp32.dll" 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elipgofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbkgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadgpb32.dll" Jnlepioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjkiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgoopkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddlnn32.dll" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnmcjanc.dll" Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdqhambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdqcfdkh.dll" Mjddnjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpbkipf.dll" Ipaklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjkfqlpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpnkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhikae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pncljmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbqnb32.dll" Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnolfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhkkno.dll" Facdgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnqjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjjda32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2200 2244 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2200 2244 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2200 2244 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2200 2244 5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe 28 PID 2200 wrote to memory of 2588 2200 Pkacpihj.exe 29 PID 2200 wrote to memory of 2588 2200 Pkacpihj.exe 29 PID 2200 wrote to memory of 2588 2200 Pkacpihj.exe 29 PID 2200 wrote to memory of 2588 2200 Pkacpihj.exe 29 PID 2588 wrote to memory of 2716 2588 Pnalad32.exe 30 PID 2588 wrote to memory of 2716 2588 Pnalad32.exe 30 PID 2588 wrote to memory of 2716 2588 Pnalad32.exe 30 PID 2588 wrote to memory of 2716 2588 Pnalad32.exe 30 PID 2716 wrote to memory of 2748 2716 Qoeeolig.exe 31 PID 2716 wrote to memory of 2748 2716 Qoeeolig.exe 31 PID 2716 wrote to memory of 2748 2716 Qoeeolig.exe 31 PID 2716 wrote to memory of 2748 2716 Qoeeolig.exe 31 PID 2748 wrote to memory of 2872 2748 Amkbnp32.exe 32 PID 2748 wrote to memory of 2872 2748 Amkbnp32.exe 32 PID 2748 wrote to memory of 2872 2748 Amkbnp32.exe 32 PID 2748 wrote to memory of 2872 2748 Amkbnp32.exe 32 PID 2872 wrote to memory of 952 2872 Abkhkgbb.exe 33 PID 2872 wrote to memory of 952 2872 Abkhkgbb.exe 33 PID 2872 wrote to memory of 952 2872 Abkhkgbb.exe 33 PID 2872 wrote to memory of 952 2872 Abkhkgbb.exe 33 PID 952 wrote to memory of 2404 952 Aekqmbod.exe 34 PID 952 wrote to memory of 2404 952 Aekqmbod.exe 34 PID 952 wrote to memory of 2404 952 Aekqmbod.exe 34 PID 952 wrote to memory of 2404 952 Aekqmbod.exe 34 PID 2404 wrote to memory of 1264 2404 Aboaff32.exe 35 PID 2404 wrote to memory of 1264 2404 Aboaff32.exe 35 PID 2404 wrote to memory of 1264 2404 Aboaff32.exe 35 PID 2404 wrote to memory of 1264 2404 Aboaff32.exe 35 PID 1264 wrote to memory of 2876 1264 Bccjdnbi.exe 36 PID 1264 wrote to memory of 2876 1264 Bccjdnbi.exe 36 PID 1264 wrote to memory of 2876 1264 Bccjdnbi.exe 36 PID 1264 wrote to memory of 2876 1264 Bccjdnbi.exe 36 PID 2876 wrote to memory of 3012 2876 Bpjkiogm.exe 37 PID 2876 wrote to memory of 3012 2876 Bpjkiogm.exe 37 PID 2876 wrote to memory of 3012 2876 Bpjkiogm.exe 37 PID 2876 wrote to memory of 3012 2876 Bpjkiogm.exe 37 PID 3012 wrote to memory of 2548 3012 Bjoofhgc.exe 38 PID 3012 wrote to memory of 2548 3012 Bjoofhgc.exe 38 PID 3012 wrote to memory of 2548 3012 Bjoofhgc.exe 38 PID 3012 wrote to memory of 2548 3012 Bjoofhgc.exe 38 PID 2548 wrote to memory of 2168 2548 Bffpki32.exe 39 PID 2548 wrote to memory of 2168 2548 Bffpki32.exe 39 PID 2548 wrote to memory of 2168 2548 Bffpki32.exe 39 PID 2548 wrote to memory of 2168 2548 Bffpki32.exe 39 PID 2168 wrote to memory of 2672 2168 Bcjqdmla.exe 40 PID 2168 wrote to memory of 2672 2168 Bcjqdmla.exe 40 PID 2168 wrote to memory of 2672 2168 Bcjqdmla.exe 40 PID 2168 wrote to memory of 2672 2168 Bcjqdmla.exe 40 PID 2672 wrote to memory of 1752 2672 Bmbemb32.exe 41 PID 2672 wrote to memory of 1752 2672 Bmbemb32.exe 41 PID 2672 wrote to memory of 1752 2672 Bmbemb32.exe 41 PID 2672 wrote to memory of 1752 2672 Bmbemb32.exe 41 PID 1752 wrote to memory of 2324 1752 Chlfnp32.exe 42 PID 1752 wrote to memory of 2324 1752 Chlfnp32.exe 42 PID 1752 wrote to memory of 2324 1752 Chlfnp32.exe 42 PID 1752 wrote to memory of 2324 1752 Chlfnp32.exe 42 PID 2324 wrote to memory of 524 2324 Cadjgf32.exe 43 PID 2324 wrote to memory of 524 2324 Cadjgf32.exe 43 PID 2324 wrote to memory of 524 2324 Cadjgf32.exe 43 PID 2324 wrote to memory of 524 2324 Cadjgf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c06049c269d93a5afed8f2668bdbd118cf890db25c4449ce9732f04cc9a0acf_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe33⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe34⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe35⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe36⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe37⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe38⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe39⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe41⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe43⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe45⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe47⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe48⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe49⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe51⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe53⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe54⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe56⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe57⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe58⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe59⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe60⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe61⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe62⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe63⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe64⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe65⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe66⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe67⤵PID:1612
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe68⤵PID:1736
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe69⤵PID:1400
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe70⤵PID:2912
-
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe71⤵PID:768
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe72⤵PID:2952
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe73⤵PID:1172
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe74⤵PID:1640
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe75⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe76⤵PID:2648
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe77⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe78⤵PID:3060
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe79⤵PID:3016
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe80⤵PID:2804
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe81⤵PID:1788
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe82⤵PID:2068
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe83⤵PID:472
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe84⤵PID:2924
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe85⤵PID:992
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe86⤵PID:1584
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe87⤵PID:108
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe88⤵PID:916
-
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe89⤵PID:1064
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1348 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe91⤵PID:1600
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe92⤵PID:840
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe94⤵PID:2904
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe95⤵PID:1960
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe96⤵PID:2252
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe98⤵PID:1480
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe99⤵PID:2832
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe100⤵PID:2880
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe101⤵PID:2316
-
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe102⤵PID:592
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe103⤵PID:2932
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe104⤵PID:1976
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe105⤵PID:3048
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe106⤵PID:2184
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe107⤵PID:1924
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe108⤵PID:2624
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe110⤵PID:2728
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe111⤵PID:2848
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe112⤵PID:2892
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe113⤵PID:956
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe114⤵PID:1536
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe115⤵PID:2928
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe116⤵PID:1364
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe117⤵PID:2344
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe118⤵PID:1556
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe119⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe120⤵PID:2228
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe121⤵PID:2724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-