Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
-
Size
232KB
-
MD5
d05f0aeb8c3f9006cd3e9f2c544e4dc0
-
SHA1
c6d06a8d27c6252caf0d53550082e0597bcf6dd0
-
SHA256
5dfe4c41171135b8b33e3270ed9011212c5efde16c447cc4dead010c06e0b5df
-
SHA512
9b506916d0888d5b5a9038782fb8bd262ceeb43afbc722cceed8c5df1d117cf031dd09ffc0f3646f79c47ce7609374f71a5faed02efee89f97e76cfdc2ed4438
-
SSDEEP
3072:XqYqqcLVoQlcnl55gMD7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121Tzlz:frcLklpD6s21L7/s50z/Wa3/PNlPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpmjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofelmloo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhlmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjmbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpfqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefijfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2096 Lganiohl.exe 2988 Lmkfei32.exe 2656 Llnfaffc.exe 2288 Loooca32.exe 2592 Meigpkka.exe 2488 Mpolmdkg.exe 2168 Maphdl32.exe 2772 Mhjpaf32.exe 1728 Mochnppo.exe 2004 Mhlmgf32.exe 1264 Mnieom32.exe 1240 Mepnpj32.exe 1652 Mhnjle32.exe 1580 Mdejaf32.exe 2052 Njbcim32.exe 1716 Nplkfgoe.exe 1056 Njdpomfe.exe 1824 Npnhlg32.exe 932 Ncmdhb32.exe 1340 Njgldmdc.exe 1608 Nleiqhcg.exe 1380 Nqqdag32.exe 2332 Ngkmnacm.exe 592 Nhlifi32.exe 1268 Nqcagfim.exe 3036 Nbdnoo32.exe 2088 Nmjblg32.exe 2724 Nbfjdn32.exe 3016 Odegpj32.exe 2496 Okoomd32.exe 2452 Ofdcjm32.exe 2692 Oicpfh32.exe 2784 Okalbc32.exe 1464 Oqndkj32.exe 2148 Okchhc32.exe 2336 Onbddoog.exe 376 Obnqem32.exe 1704 Okfencna.exe 2524 Oqcnfjli.exe 1616 Oenifh32.exe 2392 Ogmfbd32.exe 2844 Ongnonkb.exe 3024 Pphjgfqq.exe 1736 Pfbccp32.exe 1348 Pipopl32.exe 3068 Pmlkpjpj.exe 2176 Ppjglfon.exe 2856 Pfdpip32.exe 1312 Piblek32.exe 1324 Plahag32.exe 2940 Pbkpna32.exe 2744 Pfflopdh.exe 2604 Pmqdkj32.exe 2716 Ppoqge32.exe 2576 Pnbacbac.exe 2456 Pfiidobe.exe 2792 Pigeqkai.exe 2892 Plfamfpm.exe 832 Pbpjiphi.exe 2504 Penfelgm.exe 1724 Qhmbagfa.exe 2056 Qjknnbed.exe 2068 Qbbfopeg.exe 2116 Qdccfh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2980 d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe 2980 d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe 2096 Lganiohl.exe 2096 Lganiohl.exe 2988 Lmkfei32.exe 2988 Lmkfei32.exe 2656 Llnfaffc.exe 2656 Llnfaffc.exe 2288 Loooca32.exe 2288 Loooca32.exe 2592 Meigpkka.exe 2592 Meigpkka.exe 2488 Mpolmdkg.exe 2488 Mpolmdkg.exe 2168 Maphdl32.exe 2168 Maphdl32.exe 2772 Mhjpaf32.exe 2772 Mhjpaf32.exe 1728 Mochnppo.exe 1728 Mochnppo.exe 2004 Mhlmgf32.exe 2004 Mhlmgf32.exe 1264 Mnieom32.exe 1264 Mnieom32.exe 1240 Mepnpj32.exe 1240 Mepnpj32.exe 1652 Mhnjle32.exe 1652 Mhnjle32.exe 1580 Mdejaf32.exe 1580 Mdejaf32.exe 2052 Njbcim32.exe 2052 Njbcim32.exe 1716 Nplkfgoe.exe 1716 Nplkfgoe.exe 1056 Njdpomfe.exe 1056 Njdpomfe.exe 1824 Npnhlg32.exe 1824 Npnhlg32.exe 932 Ncmdhb32.exe 932 Ncmdhb32.exe 1340 Njgldmdc.exe 1340 Njgldmdc.exe 1608 Nleiqhcg.exe 1608 Nleiqhcg.exe 1380 Nqqdag32.exe 1380 Nqqdag32.exe 2332 Ngkmnacm.exe 2332 Ngkmnacm.exe 592 Nhlifi32.exe 592 Nhlifi32.exe 1268 Nqcagfim.exe 1268 Nqcagfim.exe 3036 Nbdnoo32.exe 3036 Nbdnoo32.exe 2088 Nmjblg32.exe 2088 Nmjblg32.exe 2724 Nbfjdn32.exe 2724 Nbfjdn32.exe 3016 Odegpj32.exe 3016 Odegpj32.exe 2496 Okoomd32.exe 2496 Okoomd32.exe 2452 Ofdcjm32.exe 2452 Ofdcjm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jmhmpb32.exe Jnemdecl.exe File created C:\Windows\SysWOW64\Lollckbk.exe Lkppbl32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Ihomanac.dll Begeknan.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Dcpdmj32.dll Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Qecoqk32.exe Qmlgonbe.exe File created C:\Windows\SysWOW64\Oiahfd32.dll Aepojo32.exe File opened for modification C:\Windows\SysWOW64\Kemejc32.exe Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Ndbcpd32.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Kjjndgdk.dll Kemejc32.exe File created C:\Windows\SysWOW64\Kolpjf32.dll Pjadmnic.exe File created C:\Windows\SysWOW64\Fnnkng32.dll Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Nceclqan.exe File opened for modification C:\Windows\SysWOW64\Ncmdhb32.exe Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Pmqdkj32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Ehkhilpb.dll Nlbeqb32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Mmahdggc.exe Mkclhl32.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Idklfpon.exe Iqopea32.exe File created C:\Windows\SysWOW64\Onmdoioa.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Bfjpdigc.dll Ojfaijcc.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Aepojo32.exe Abbbnchb.exe File created C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Acpmei32.dll Eloemi32.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Ddflckmp.dll Bgknheej.exe File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Kmaled32.exe File opened for modification C:\Windows\SysWOW64\Mlmlecec.exe Meccii32.exe File created C:\Windows\SysWOW64\Enhacojl.exe Efaibbij.exe File created C:\Windows\SysWOW64\Loooca32.exe Llnfaffc.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bingpmnl.exe File opened for modification C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Aekodi32.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Kmaled32.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Aefbii32.dll Lhpfqama.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Aljgfioc.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File created C:\Windows\SysWOW64\Jjojofgn.exe Jbgbni32.exe File created C:\Windows\SysWOW64\Meagci32.exe Mgnfhlin.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Facdeo32.exe File created C:\Windows\SysWOW64\Mdqmicng.dll Nefpnhlc.exe File created C:\Windows\SysWOW64\Qahgkbeb.dll d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Facdeo32.exe Filldb32.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Gicbeald.exe File created C:\Windows\SysWOW64\Nqqdag32.exe Nleiqhcg.exe File opened for modification C:\Windows\SysWOW64\Pbkpna32.exe Plahag32.exe File created C:\Windows\SysWOW64\Kcihlong.exe Kaklpcoc.exe File created C:\Windows\SysWOW64\Bmmiij32.exe Bkommo32.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eajaoq32.exe File created C:\Windows\SysWOW64\Igihbknb.exe Icmlam32.exe File opened for modification C:\Windows\SysWOW64\Kaklpcoc.exe Kiccofna.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kcihlong.exe File created C:\Windows\SysWOW64\Pmdoik32.dll Epaogi32.exe File created C:\Windows\SysWOW64\Jifnmmhq.dll Aplifb32.exe File created C:\Windows\SysWOW64\Dogefd32.exe Dliijipn.exe File opened for modification C:\Windows\SysWOW64\Okchhc32.exe Oqndkj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5284 908 WerFault.exe 590 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofmgl32.dll" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afldcl32.dll" Kkgmgmfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabnbook.dll" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjlmo32.dll" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdppp32.dll" Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehkodcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifjqh32.dll" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmihgeia.dll" Njbcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckmmp32.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkhohik.dll" Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naajoinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" Dfdjhndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfecaop.dll" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlblm32.dll" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnfaffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqiaclmk.dll" Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkhilpb.dll" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" Dqlafm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2096 2980 d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2096 2980 d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2096 2980 d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2096 2980 d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe 28 PID 2096 wrote to memory of 2988 2096 Lganiohl.exe 29 PID 2096 wrote to memory of 2988 2096 Lganiohl.exe 29 PID 2096 wrote to memory of 2988 2096 Lganiohl.exe 29 PID 2096 wrote to memory of 2988 2096 Lganiohl.exe 29 PID 2988 wrote to memory of 2656 2988 Lmkfei32.exe 30 PID 2988 wrote to memory of 2656 2988 Lmkfei32.exe 30 PID 2988 wrote to memory of 2656 2988 Lmkfei32.exe 30 PID 2988 wrote to memory of 2656 2988 Lmkfei32.exe 30 PID 2656 wrote to memory of 2288 2656 Llnfaffc.exe 31 PID 2656 wrote to memory of 2288 2656 Llnfaffc.exe 31 PID 2656 wrote to memory of 2288 2656 Llnfaffc.exe 31 PID 2656 wrote to memory of 2288 2656 Llnfaffc.exe 31 PID 2288 wrote to memory of 2592 2288 Loooca32.exe 32 PID 2288 wrote to memory of 2592 2288 Loooca32.exe 32 PID 2288 wrote to memory of 2592 2288 Loooca32.exe 32 PID 2288 wrote to memory of 2592 2288 Loooca32.exe 32 PID 2592 wrote to memory of 2488 2592 Meigpkka.exe 33 PID 2592 wrote to memory of 2488 2592 Meigpkka.exe 33 PID 2592 wrote to memory of 2488 2592 Meigpkka.exe 33 PID 2592 wrote to memory of 2488 2592 Meigpkka.exe 33 PID 2488 wrote to memory of 2168 2488 Mpolmdkg.exe 34 PID 2488 wrote to memory of 2168 2488 Mpolmdkg.exe 34 PID 2488 wrote to memory of 2168 2488 Mpolmdkg.exe 34 PID 2488 wrote to memory of 2168 2488 Mpolmdkg.exe 34 PID 2168 wrote to memory of 2772 2168 Maphdl32.exe 35 PID 2168 wrote to memory of 2772 2168 Maphdl32.exe 35 PID 2168 wrote to memory of 2772 2168 Maphdl32.exe 35 PID 2168 wrote to memory of 2772 2168 Maphdl32.exe 35 PID 2772 wrote to memory of 1728 2772 Mhjpaf32.exe 36 PID 2772 wrote to memory of 1728 2772 Mhjpaf32.exe 36 PID 2772 wrote to memory of 1728 2772 Mhjpaf32.exe 36 PID 2772 wrote to memory of 1728 2772 Mhjpaf32.exe 36 PID 1728 wrote to memory of 2004 1728 Mochnppo.exe 37 PID 1728 wrote to memory of 2004 1728 Mochnppo.exe 37 PID 1728 wrote to memory of 2004 1728 Mochnppo.exe 37 PID 1728 wrote to memory of 2004 1728 Mochnppo.exe 37 PID 2004 wrote to memory of 1264 2004 Mhlmgf32.exe 38 PID 2004 wrote to memory of 1264 2004 Mhlmgf32.exe 38 PID 2004 wrote to memory of 1264 2004 Mhlmgf32.exe 38 PID 2004 wrote to memory of 1264 2004 Mhlmgf32.exe 38 PID 1264 wrote to memory of 1240 1264 Mnieom32.exe 39 PID 1264 wrote to memory of 1240 1264 Mnieom32.exe 39 PID 1264 wrote to memory of 1240 1264 Mnieom32.exe 39 PID 1264 wrote to memory of 1240 1264 Mnieom32.exe 39 PID 1240 wrote to memory of 1652 1240 Mepnpj32.exe 40 PID 1240 wrote to memory of 1652 1240 Mepnpj32.exe 40 PID 1240 wrote to memory of 1652 1240 Mepnpj32.exe 40 PID 1240 wrote to memory of 1652 1240 Mepnpj32.exe 40 PID 1652 wrote to memory of 1580 1652 Mhnjle32.exe 41 PID 1652 wrote to memory of 1580 1652 Mhnjle32.exe 41 PID 1652 wrote to memory of 1580 1652 Mhnjle32.exe 41 PID 1652 wrote to memory of 1580 1652 Mhnjle32.exe 41 PID 1580 wrote to memory of 2052 1580 Mdejaf32.exe 42 PID 1580 wrote to memory of 2052 1580 Mdejaf32.exe 42 PID 1580 wrote to memory of 2052 1580 Mdejaf32.exe 42 PID 1580 wrote to memory of 2052 1580 Mdejaf32.exe 42 PID 2052 wrote to memory of 1716 2052 Njbcim32.exe 43 PID 2052 wrote to memory of 1716 2052 Njbcim32.exe 43 PID 2052 wrote to memory of 1716 2052 Njbcim32.exe 43 PID 2052 wrote to memory of 1716 2052 Njbcim32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe34⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe36⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe37⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe38⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe39⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe41⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe42⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe43⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe46⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe47⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe48⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe50⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe55⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe57⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe58⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe59⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe60⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe61⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe63⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe65⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe66⤵PID:1128
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe67⤵PID:2256
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe69⤵PID:1672
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe70⤵PID:284
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe71⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe72⤵PID:2664
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe73⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe74⤵PID:2512
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe75⤵PID:2140
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe76⤵PID:2928
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe77⤵PID:1600
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe78⤵PID:1068
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe79⤵PID:1552
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe80⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe81⤵PID:600
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe82⤵PID:1100
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe83⤵PID:1792
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe84⤵PID:1644
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe85⤵PID:1012
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe86⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe87⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe88⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe89⤵PID:2764
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe90⤵PID:2964
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe91⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe92⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe93⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe94⤵PID:2172
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe95⤵PID:1756
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe96⤵PID:1920
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe97⤵PID:624
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe98⤵PID:1048
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe99⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe100⤵PID:2136
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe101⤵PID:2836
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe102⤵PID:2472
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe103⤵PID:2476
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe105⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe106⤵PID:1660
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe107⤵PID:1548
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe108⤵PID:2092
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe109⤵PID:1924
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe110⤵PID:2144
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe111⤵PID:756
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe114⤵PID:2596
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe115⤵PID:2480
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe117⤵PID:1748
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe118⤵PID:1668
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe119⤵PID:1604
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe120⤵PID:1516
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe121⤵PID:1124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-