Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 15:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe
-
Size
80KB
-
MD5
ccefdeb65c80e20fe4455f335e1f7580
-
SHA1
2ea1f2b2ad8c03d87bd9b1755219b11faf2871fd
-
SHA256
3759ccfebcfb31a613553ec954f4c3372a7875e75f7d528196cfccdb868038d8
-
SHA512
b1734f131d4a268a3084b79f025dbdd636171834d3b86c9c85063acdfe7f14abb6e5f1880a7a7355a07e5595c417b0bacd24f566ad248cf34bd70a2997792482
-
SSDEEP
1536:kGqk8jU33zVcCQK6Zk7iV3SN+zL20gJi1i9:cq3UKBiVigzL20WKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgaiaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlkld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjpkihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adeplhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbkddem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmkcbcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdmcdoe.exe -
Executes dropped EXE 64 IoCs
pid Process 1900 Kbhbom32.exe 1716 Kibjkgca.exe 2600 Khekgc32.exe 2580 Kjcgco32.exe 2612 Kbkodl32.exe 2616 Kanopipl.exe 2524 Kdlkld32.exe 2992 Llccmb32.exe 2820 Loapim32.exe 1284 Lekhfgfc.exe 2780 Lhjdbcef.exe 2840 Lfmdnp32.exe 636 Lmgmjjdn.exe 3032 Lpeifeca.exe 2040 Lgoacojo.exe 764 Lmiipi32.exe 2548 Ldcamcih.exe 2324 Lbfahp32.exe 2004 Lkmjin32.exe 1564 Lipjejgp.exe 1688 Llnfaffc.exe 908 Ldenbcge.exe 3056 Lefkjkmc.exe 3064 Libgjj32.exe 1764 Lplogdmj.exe 2604 Loooca32.exe 2868 Meigpkka.exe 2296 Mhgclfje.exe 2252 Mpolmdkg.exe 2520 Mcmhiojk.exe 2696 Mekdekin.exe 2988 Migpeiag.exe 2448 Mlelaeqk.exe 2712 Mochnppo.exe 2872 Mcodno32.exe 1304 Menakj32.exe 1720 Menakj32.exe 2964 Mhlmgf32.exe 2864 Mkjica32.exe 2264 Mofecpnl.exe 1472 Madapkmp.exe 2152 Mepnpj32.exe 988 Mhnjle32.exe 1556 Mkmfhacp.exe 3060 Mohbip32.exe 2900 Mnkbdlbd.exe 2960 Magnek32.exe 1168 Mdejaf32.exe 2480 Mhqfbebj.exe 2484 Mkobnqan.exe 3040 Nnnojlpa.exe 1824 Nplkfgoe.exe 2704 Ndgggf32.exe 2752 Ncjgbcoi.exe 1592 Ngfcca32.exe 2440 Nkaocp32.exe 3012 Njdpomfe.exe 1644 Nnplpl32.exe 2392 Npnhlg32.exe 2564 Ndjdlffl.exe 2140 Njgldmdc.exe 1220 Nnbhek32.exe 3068 Nqqdag32.exe 2736 Nocemcbj.exe -
Loads dropped DLL 64 IoCs
pid Process 756 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 756 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 1900 Kbhbom32.exe 1900 Kbhbom32.exe 1716 Kibjkgca.exe 1716 Kibjkgca.exe 2600 Khekgc32.exe 2600 Khekgc32.exe 2580 Kjcgco32.exe 2580 Kjcgco32.exe 2612 Kbkodl32.exe 2612 Kbkodl32.exe 2616 Kanopipl.exe 2616 Kanopipl.exe 2524 Kdlkld32.exe 2524 Kdlkld32.exe 2992 Llccmb32.exe 2992 Llccmb32.exe 2820 Loapim32.exe 2820 Loapim32.exe 1284 Lekhfgfc.exe 1284 Lekhfgfc.exe 2780 Lhjdbcef.exe 2780 Lhjdbcef.exe 2840 Lfmdnp32.exe 2840 Lfmdnp32.exe 636 Lmgmjjdn.exe 636 Lmgmjjdn.exe 3032 Lpeifeca.exe 3032 Lpeifeca.exe 2040 Lgoacojo.exe 2040 Lgoacojo.exe 764 Lmiipi32.exe 764 Lmiipi32.exe 2548 Ldcamcih.exe 2548 Ldcamcih.exe 2324 Lbfahp32.exe 2324 Lbfahp32.exe 2004 Lkmjin32.exe 2004 Lkmjin32.exe 1564 Lipjejgp.exe 1564 Lipjejgp.exe 1688 Llnfaffc.exe 1688 Llnfaffc.exe 908 Ldenbcge.exe 908 Ldenbcge.exe 3056 Lefkjkmc.exe 3056 Lefkjkmc.exe 3064 Libgjj32.exe 3064 Libgjj32.exe 1764 Lplogdmj.exe 1764 Lplogdmj.exe 2604 Loooca32.exe 2604 Loooca32.exe 2868 Meigpkka.exe 2868 Meigpkka.exe 2296 Mhgclfje.exe 2296 Mhgclfje.exe 2252 Mpolmdkg.exe 2252 Mpolmdkg.exe 2520 Mcmhiojk.exe 2520 Mcmhiojk.exe 2696 Mekdekin.exe 2696 Mekdekin.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gdcbnc32.dll Ocajbekl.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe Migpeiag.exe File created C:\Windows\SysWOW64\Jhcbom32.dll Nofabc32.exe File opened for modification C:\Windows\SysWOW64\Ongnonkb.exe Ojkboo32.exe File created C:\Windows\SysWOW64\Pbkpna32.exe Ppmdbe32.exe File created C:\Windows\SysWOW64\Khneoedc.dll Meigpkka.exe File created C:\Windows\SysWOW64\Bfmimf32.dll Madapkmp.exe File created C:\Windows\SysWOW64\Oojknblb.exe Okoomd32.exe File created C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Obljmlpp.dll Nfpjomgd.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Pcfcmd32.exe File created C:\Windows\SysWOW64\Mdhbbiki.dll Abpfhcje.exe File created C:\Windows\SysWOW64\Cjpqdp32.exe Cfeddafl.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Dqhhknjp.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Midahn32.dll Eiaiqn32.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Mbjlmdgj.dll Okalbc32.exe File created C:\Windows\SysWOW64\Kjpnhh32.dll Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Mcmhiojk.exe Mpolmdkg.exe File opened for modification C:\Windows\SysWOW64\Nhnfkigh.exe Nfpjomgd.exe File created C:\Windows\SysWOW64\Fclomp32.dll Djefobmk.exe File created C:\Windows\SysWOW64\Fmjejphb.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Oqndkj32.exe File created C:\Windows\SysWOW64\Moealbej.dll Qjmkcbcb.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Ejgcdb32.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Ojdngl32.dll Bokphdld.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cngcjo32.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Djpmccqq.exe File created C:\Windows\SysWOW64\Bhjogple.dll Kdlkld32.exe File created C:\Windows\SysWOW64\Gkhqdcam.dll Nbfjdn32.exe File opened for modification C:\Windows\SysWOW64\Obigjnkf.exe Onmkio32.exe File created C:\Windows\SysWOW64\Aoffmd32.exe Apcfahio.exe File created C:\Windows\SysWOW64\Dmljjm32.dll Cgbdhd32.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dbbkja32.exe File created C:\Windows\SysWOW64\Njcbaa32.dll Dqelenlc.exe File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe Okchhc32.exe File opened for modification C:\Windows\SysWOW64\Cgmkmecg.exe Bcaomf32.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Gknfklng.dll Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Ofdcjm32.exe Obigjnkf.exe File created C:\Windows\SysWOW64\Kpeliikc.dll Afmonbqk.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Lcgjec32.dll Lplogdmj.exe File created C:\Windows\SysWOW64\Ebhepm32.dll Nnplpl32.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qnfjna32.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Hafakdgi.dll Mhnjle32.exe File created C:\Windows\SysWOW64\Difoda32.dll Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Jpbpbqda.dll Dnneja32.exe File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe Dcfdgiid.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Flmefm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6084 5204 WerFault.exe 513 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbjkfod.dll" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" Qeqbkkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeadcbc.dll" Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" Qdccfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhooggdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdceg32.dll" Ahakmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghabf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecqjpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlelaeqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkodhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdcec32.dll" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijmmc32.dll" Nkaocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Ppoqge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdlhchf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bloqah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhebk32.dll" Pigeqkai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qagcpljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekhfgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medfkpfc.dll" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfdcg32.dll" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjjld32.dll" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 1900 756 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 28 PID 756 wrote to memory of 1900 756 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 28 PID 756 wrote to memory of 1900 756 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 28 PID 756 wrote to memory of 1900 756 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 28 PID 1900 wrote to memory of 1716 1900 Kbhbom32.exe 29 PID 1900 wrote to memory of 1716 1900 Kbhbom32.exe 29 PID 1900 wrote to memory of 1716 1900 Kbhbom32.exe 29 PID 1900 wrote to memory of 1716 1900 Kbhbom32.exe 29 PID 1716 wrote to memory of 2600 1716 Kibjkgca.exe 30 PID 1716 wrote to memory of 2600 1716 Kibjkgca.exe 30 PID 1716 wrote to memory of 2600 1716 Kibjkgca.exe 30 PID 1716 wrote to memory of 2600 1716 Kibjkgca.exe 30 PID 2600 wrote to memory of 2580 2600 Khekgc32.exe 31 PID 2600 wrote to memory of 2580 2600 Khekgc32.exe 31 PID 2600 wrote to memory of 2580 2600 Khekgc32.exe 31 PID 2600 wrote to memory of 2580 2600 Khekgc32.exe 31 PID 2580 wrote to memory of 2612 2580 Kjcgco32.exe 32 PID 2580 wrote to memory of 2612 2580 Kjcgco32.exe 32 PID 2580 wrote to memory of 2612 2580 Kjcgco32.exe 32 PID 2580 wrote to memory of 2612 2580 Kjcgco32.exe 32 PID 2612 wrote to memory of 2616 2612 Kbkodl32.exe 33 PID 2612 wrote to memory of 2616 2612 Kbkodl32.exe 33 PID 2612 wrote to memory of 2616 2612 Kbkodl32.exe 33 PID 2612 wrote to memory of 2616 2612 Kbkodl32.exe 33 PID 2616 wrote to memory of 2524 2616 Kanopipl.exe 34 PID 2616 wrote to memory of 2524 2616 Kanopipl.exe 34 PID 2616 wrote to memory of 2524 2616 Kanopipl.exe 34 PID 2616 wrote to memory of 2524 2616 Kanopipl.exe 34 PID 2524 wrote to memory of 2992 2524 Kdlkld32.exe 35 PID 2524 wrote to memory of 2992 2524 Kdlkld32.exe 35 PID 2524 wrote to memory of 2992 2524 Kdlkld32.exe 35 PID 2524 wrote to memory of 2992 2524 Kdlkld32.exe 35 PID 2992 wrote to memory of 2820 2992 Llccmb32.exe 36 PID 2992 wrote to memory of 2820 2992 Llccmb32.exe 36 PID 2992 wrote to memory of 2820 2992 Llccmb32.exe 36 PID 2992 wrote to memory of 2820 2992 Llccmb32.exe 36 PID 2820 wrote to memory of 1284 2820 Loapim32.exe 37 PID 2820 wrote to memory of 1284 2820 Loapim32.exe 37 PID 2820 wrote to memory of 1284 2820 Loapim32.exe 37 PID 2820 wrote to memory of 1284 2820 Loapim32.exe 37 PID 1284 wrote to memory of 2780 1284 Lekhfgfc.exe 38 PID 1284 wrote to memory of 2780 1284 Lekhfgfc.exe 38 PID 1284 wrote to memory of 2780 1284 Lekhfgfc.exe 38 PID 1284 wrote to memory of 2780 1284 Lekhfgfc.exe 38 PID 2780 wrote to memory of 2840 2780 Lhjdbcef.exe 39 PID 2780 wrote to memory of 2840 2780 Lhjdbcef.exe 39 PID 2780 wrote to memory of 2840 2780 Lhjdbcef.exe 39 PID 2780 wrote to memory of 2840 2780 Lhjdbcef.exe 39 PID 2840 wrote to memory of 636 2840 Lfmdnp32.exe 40 PID 2840 wrote to memory of 636 2840 Lfmdnp32.exe 40 PID 2840 wrote to memory of 636 2840 Lfmdnp32.exe 40 PID 2840 wrote to memory of 636 2840 Lfmdnp32.exe 40 PID 636 wrote to memory of 3032 636 Lmgmjjdn.exe 41 PID 636 wrote to memory of 3032 636 Lmgmjjdn.exe 41 PID 636 wrote to memory of 3032 636 Lmgmjjdn.exe 41 PID 636 wrote to memory of 3032 636 Lmgmjjdn.exe 41 PID 3032 wrote to memory of 2040 3032 Lpeifeca.exe 42 PID 3032 wrote to memory of 2040 3032 Lpeifeca.exe 42 PID 3032 wrote to memory of 2040 3032 Lpeifeca.exe 42 PID 3032 wrote to memory of 2040 3032 Lpeifeca.exe 42 PID 2040 wrote to memory of 764 2040 Lgoacojo.exe 43 PID 2040 wrote to memory of 764 2040 Lgoacojo.exe 43 PID 2040 wrote to memory of 764 2040 Lgoacojo.exe 43 PID 2040 wrote to memory of 764 2040 Lgoacojo.exe 43
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe35⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe36⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe37⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe38⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe39⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe40⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe41⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe43⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe45⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe47⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe48⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe49⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe50⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe51⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe53⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe55⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe56⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe58⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe61⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe62⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe63⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe64⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe65⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe66⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe67⤵PID:604
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe69⤵PID:2620
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe70⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe71⤵PID:2876
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe72⤵PID:2496
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe73⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe75⤵PID:1608
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe76⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe78⤵PID:1512
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe79⤵PID:1456
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe80⤵PID:2832
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe81⤵PID:332
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe82⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe83⤵PID:392
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe85⤵PID:2560
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe86⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe87⤵PID:2916
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe88⤵
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe89⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe90⤵PID:2776
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe91⤵PID:108
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe92⤵PID:3020
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe93⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe94⤵PID:1672
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe95⤵PID:1872
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1184 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe98⤵PID:1692
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe99⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe100⤵PID:1752
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe101⤵PID:1092
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe102⤵PID:1968
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe103⤵PID:2500
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe104⤵PID:2228
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe105⤵PID:2816
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe106⤵PID:1728
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe107⤵PID:3036
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe108⤵PID:2836
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe109⤵PID:2744
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe110⤵PID:2168
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1080 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe113⤵PID:2568
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe114⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe115⤵PID:2424
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe117⤵PID:3028
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe118⤵PID:2724
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe119⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-