Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 05:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe
-
Size
272KB
-
MD5
a56a86bafcce13c79b584c4ef376eea0
-
SHA1
4260d5243213240f8fb84e239e4dd2191059f395
-
SHA256
65dc33560a97fe9238671a799238c79d6dd6d13521408cf848d24882f57e9dcb
-
SHA512
aaa292bdd90aa895a7129615ccb3dcfc11b65171f21f92bc31e51367146a583412e8ba4db7b3a354179109b7cc76825e482b7943f12857f655b39c71d8f0dedf
-
SSDEEP
6144:UGKLXglA39bSR0xZKL2bWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRuEuT:n4XbSwwL2bWGRdA6sQhPbWGRdA6sQxuB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnnfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmecgba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgamdef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkblohek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imnbbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfheodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmmjjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felekcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmecokhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaalom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoihm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcqebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdngpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofaicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgocid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabplobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekmle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnifkae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkeoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnpkmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgibqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amplklmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knodnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpicfdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbicoamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcandb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchcpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omlncc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppakj32.exe -
Executes dropped EXE 64 IoCs
pid Process 1876 Jdkjnl32.exe 2524 Kgnpeg32.exe 2536 Kjoifb32.exe 2404 Kcijeg32.exe 2384 Liklhmom.exe 2824 Lgpiij32.exe 1716 Makjho32.exe 1216 Mpdqdkie.exe 2704 Mpgmijgc.exe 2128 Nianhplq.exe 1476 Ndnlnm32.exe 1680 Ocgbji32.exe 1624 Ooqpdj32.exe 1140 Opplolac.exe 2228 Oihqgbhd.exe 1780 Pdbahpec.exe 1952 Pnopldgn.exe 3020 Qmgibqjc.exe 1792 Qjkjle32.exe 1600 Amnocpdk.exe 1544 Bmkomchi.exe 1156 Blchcpko.exe 2188 Bekmle32.exe 1616 Cbajkiof.exe 1580 Chnbcpmn.exe 2968 Chqoipkk.exe 2124 Ckahkk32.exe 2932 Ddliip32.exe 2580 Dlgnmb32.exe 2640 Depbfhpe.exe 2420 Dpgcip32.exe 2632 Dchmkkkj.exe 2504 Eoajel32.exe 2828 Ehjona32.exe 576 Egokonjc.exe 1516 Fheabelm.exe 2700 Ffibkj32.exe 1904 Fbpbpkpj.exe 1744 Ffmkfifa.exe 1528 Fdbhge32.exe 1464 Gbfiaj32.exe 2304 Gmpjagfa.exe 2008 Gcjbna32.exe 1104 Gmbfggdo.exe 3028 Gghkdp32.exe 1800 Gildahhp.exe 2768 Gcahoqhf.exe 960 Hllmcc32.exe 2800 Heealhla.exe 624 Halbai32.exe 2788 Hbknkl32.exe 1692 Hjfcpo32.exe 2080 Hfmddp32.exe 2908 Ipehmebh.exe 2672 Imiigiab.exe 2816 Ifampo32.exe 2264 Idfnicfl.exe 560 Imnbbi32.exe 1344 Ieigfk32.exe 2716 Iapgkl32.exe 1412 Jkhldafl.exe 932 Jhlmmfef.exe 1628 Jhoice32.exe 2064 Jkmeoa32.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe 2248 a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe 1876 Jdkjnl32.exe 1876 Jdkjnl32.exe 2524 Kgnpeg32.exe 2524 Kgnpeg32.exe 2536 Kjoifb32.exe 2536 Kjoifb32.exe 2404 Kcijeg32.exe 2404 Kcijeg32.exe 2384 Liklhmom.exe 2384 Liklhmom.exe 2824 Lgpiij32.exe 2824 Lgpiij32.exe 1716 Makjho32.exe 1716 Makjho32.exe 1216 Mpdqdkie.exe 1216 Mpdqdkie.exe 2704 Mpgmijgc.exe 2704 Mpgmijgc.exe 2128 Nianhplq.exe 2128 Nianhplq.exe 1476 Ndnlnm32.exe 1476 Ndnlnm32.exe 1680 Ocgbji32.exe 1680 Ocgbji32.exe 1624 Ooqpdj32.exe 1624 Ooqpdj32.exe 1140 Opplolac.exe 1140 Opplolac.exe 2228 Oihqgbhd.exe 2228 Oihqgbhd.exe 1780 Pdbahpec.exe 1780 Pdbahpec.exe 1952 Pnopldgn.exe 1952 Pnopldgn.exe 3020 Qmgibqjc.exe 3020 Qmgibqjc.exe 1792 Qjkjle32.exe 1792 Qjkjle32.exe 1600 Amnocpdk.exe 1600 Amnocpdk.exe 1544 Bmkomchi.exe 1544 Bmkomchi.exe 1156 Blchcpko.exe 1156 Blchcpko.exe 2188 Bekmle32.exe 2188 Bekmle32.exe 1616 Cbajkiof.exe 1616 Cbajkiof.exe 1580 Chnbcpmn.exe 1580 Chnbcpmn.exe 2968 Chqoipkk.exe 2968 Chqoipkk.exe 2124 Ckahkk32.exe 2124 Ckahkk32.exe 2932 Ddliip32.exe 2932 Ddliip32.exe 2580 Dlgnmb32.exe 2580 Dlgnmb32.exe 2640 Depbfhpe.exe 2640 Depbfhpe.exe 2420 Dpgcip32.exe 2420 Dpgcip32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nidoamch.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bejfao32.exe Bammlq32.exe File created C:\Windows\SysWOW64\Kjaaeimj.dll Kilgoe32.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Mpefbfgo.dll Edeclabl.exe File created C:\Windows\SysWOW64\Kbbohh32.dll Pmkfqind.exe File created C:\Windows\SysWOW64\Hnljkf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhfpdi32.exe Ldhgnk32.exe File opened for modification C:\Windows\SysWOW64\Gddobpbe.exe Ghmnmo32.exe File created C:\Windows\SysWOW64\Anaeppkc.dll Process not Found File created C:\Windows\SysWOW64\Gkpfmnlb.exe Gfcnegnk.exe File created C:\Windows\SysWOW64\Aebmjo32.dll Hgbfnngi.exe File created C:\Windows\SysWOW64\Hkpnjd32.exe Hcdifa32.exe File created C:\Windows\SysWOW64\Hgfheodo.exe Hchoop32.exe File created C:\Windows\SysWOW64\Damgll32.dll Process not Found File created C:\Windows\SysWOW64\Ehnfpifm.exe Elgfkhpi.exe File created C:\Windows\SysWOW64\Idkbii32.dll Pgjdmc32.exe File created C:\Windows\SysWOW64\Mcpkkhei.dll Pcqebd32.exe File created C:\Windows\SysWOW64\Lccepqdo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njdqka32.exe Nmqpam32.exe File created C:\Windows\SysWOW64\Ffbpca32.dll Hiioin32.exe File created C:\Windows\SysWOW64\Befddlni.dll Cofaog32.exe File created C:\Windows\SysWOW64\Akjjifji.exe Process not Found File created C:\Windows\SysWOW64\Hdloab32.exe Process not Found File created C:\Windows\SysWOW64\Ooicid32.exe Nfnneb32.exe File created C:\Windows\SysWOW64\Ldkkdd32.dll Aggiigmn.exe File created C:\Windows\SysWOW64\Mhkfeeek.dll Bhdhefpc.exe File created C:\Windows\SysWOW64\Cfaqfh32.exe Cjjpag32.exe File created C:\Windows\SysWOW64\Eldplnan.dll Kjcedj32.exe File created C:\Windows\SysWOW64\Eplmflde.exe Echlmh32.exe File opened for modification C:\Windows\SysWOW64\Khcbpa32.exe Kfdfdf32.exe File opened for modification C:\Windows\SysWOW64\Pgjfflkf.exe Pghjqlmi.exe File created C:\Windows\SysWOW64\Omppei32.dll Kdhcli32.exe File created C:\Windows\SysWOW64\Aphcppmo.exe Aljjjb32.exe File created C:\Windows\SysWOW64\Hlilhb32.dll Ciglaa32.exe File created C:\Windows\SysWOW64\Fomndhng.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lfhhjklc.exe Klpdaf32.exe File created C:\Windows\SysWOW64\Neajod32.dll Lmeebpkd.exe File created C:\Windows\SysWOW64\Lfilnh32.exe Liekddkh.exe File created C:\Windows\SysWOW64\Amnocpdk.exe Qjkjle32.exe File opened for modification C:\Windows\SysWOW64\Koipglep.exe Kilgoe32.exe File opened for modification C:\Windows\SysWOW64\Phfoee32.exe Pbigmn32.exe File created C:\Windows\SysWOW64\Fkihmn32.dll Geddoa32.exe File opened for modification C:\Windows\SysWOW64\Hnheohcl.exe Gcbabpcf.exe File created C:\Windows\SysWOW64\Edlafebn.exe Eifmimch.exe File created C:\Windows\SysWOW64\Lmphha32.dll Gbcien32.exe File created C:\Windows\SysWOW64\Hiofdmkq.exe Hmheol32.exe File created C:\Windows\SysWOW64\Mbhnpplb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Afbnec32.exe Afpapcnc.exe File opened for modification C:\Windows\SysWOW64\Dkcebg32.exe Coldmfkf.exe File opened for modification C:\Windows\SysWOW64\Knbgnhfd.exe Knpkhhhg.exe File created C:\Windows\SysWOW64\Kicnbp32.dll Process not Found File created C:\Windows\SysWOW64\Daplkmbg.exe Dhhhbg32.exe File created C:\Windows\SysWOW64\Figmjq32.exe Fhgppnan.exe File created C:\Windows\SysWOW64\Iaaekl32.exe Hghdjn32.exe File created C:\Windows\SysWOW64\Lenffl32.exe Ligfakaa.exe File created C:\Windows\SysWOW64\Agfbfl32.dll Bejiehfi.exe File opened for modification C:\Windows\SysWOW64\Ihglhp32.exe Ifgpnmom.exe File created C:\Windows\SysWOW64\Cgnnab32.exe Cjjnhnbl.exe File created C:\Windows\SysWOW64\Cenqenin.dll Cimooo32.exe File opened for modification C:\Windows\SysWOW64\Hiofdmkq.exe Hmheol32.exe File created C:\Windows\SysWOW64\Obckihng.dll Process not Found File created C:\Windows\SysWOW64\Oleiokho.dll Process not Found File created C:\Windows\SysWOW64\Gfebgn32.dll Eiekpd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2316 4708 Process not Found 1347 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddobpbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oajopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egghdk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckefnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclnpegj.dll" Pdngpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlphbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coicfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnpchjd.dll" Kfdfdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplmhi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiekpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgegfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeofnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldnbeokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligdgc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biiqmd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnleckl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfifeml.dll" Eaphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjppfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenpon32.dll" Kbcfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipfkabpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfijm32.dll" Lmlnjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcllmmbh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghkdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbqcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qklpempi.dll" Njbdea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miehak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbjbge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahbckfe.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckada32.dll" Kbgjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmebcgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elefkiaj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Panehkaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaqkcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geddoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpalfabn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogiaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbgnhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mginjnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deahcneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endjeihi.dll" Cjjpag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1876 2248 a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 1876 2248 a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 1876 2248 a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 1876 2248 a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe 28 PID 1876 wrote to memory of 2524 1876 Jdkjnl32.exe 29 PID 1876 wrote to memory of 2524 1876 Jdkjnl32.exe 29 PID 1876 wrote to memory of 2524 1876 Jdkjnl32.exe 29 PID 1876 wrote to memory of 2524 1876 Jdkjnl32.exe 29 PID 2524 wrote to memory of 2536 2524 Kgnpeg32.exe 30 PID 2524 wrote to memory of 2536 2524 Kgnpeg32.exe 30 PID 2524 wrote to memory of 2536 2524 Kgnpeg32.exe 30 PID 2524 wrote to memory of 2536 2524 Kgnpeg32.exe 30 PID 2536 wrote to memory of 2404 2536 Kjoifb32.exe 31 PID 2536 wrote to memory of 2404 2536 Kjoifb32.exe 31 PID 2536 wrote to memory of 2404 2536 Kjoifb32.exe 31 PID 2536 wrote to memory of 2404 2536 Kjoifb32.exe 31 PID 2404 wrote to memory of 2384 2404 Kcijeg32.exe 32 PID 2404 wrote to memory of 2384 2404 Kcijeg32.exe 32 PID 2404 wrote to memory of 2384 2404 Kcijeg32.exe 32 PID 2404 wrote to memory of 2384 2404 Kcijeg32.exe 32 PID 2384 wrote to memory of 2824 2384 Liklhmom.exe 33 PID 2384 wrote to memory of 2824 2384 Liklhmom.exe 33 PID 2384 wrote to memory of 2824 2384 Liklhmom.exe 33 PID 2384 wrote to memory of 2824 2384 Liklhmom.exe 33 PID 2824 wrote to memory of 1716 2824 Lgpiij32.exe 34 PID 2824 wrote to memory of 1716 2824 Lgpiij32.exe 34 PID 2824 wrote to memory of 1716 2824 Lgpiij32.exe 34 PID 2824 wrote to memory of 1716 2824 Lgpiij32.exe 34 PID 1716 wrote to memory of 1216 1716 Makjho32.exe 35 PID 1716 wrote to memory of 1216 1716 Makjho32.exe 35 PID 1716 wrote to memory of 1216 1716 Makjho32.exe 35 PID 1716 wrote to memory of 1216 1716 Makjho32.exe 35 PID 1216 wrote to memory of 2704 1216 Mpdqdkie.exe 36 PID 1216 wrote to memory of 2704 1216 Mpdqdkie.exe 36 PID 1216 wrote to memory of 2704 1216 Mpdqdkie.exe 36 PID 1216 wrote to memory of 2704 1216 Mpdqdkie.exe 36 PID 2704 wrote to memory of 2128 2704 Mpgmijgc.exe 37 PID 2704 wrote to memory of 2128 2704 Mpgmijgc.exe 37 PID 2704 wrote to memory of 2128 2704 Mpgmijgc.exe 37 PID 2704 wrote to memory of 2128 2704 Mpgmijgc.exe 37 PID 2128 wrote to memory of 1476 2128 Nianhplq.exe 38 PID 2128 wrote to memory of 1476 2128 Nianhplq.exe 38 PID 2128 wrote to memory of 1476 2128 Nianhplq.exe 38 PID 2128 wrote to memory of 1476 2128 Nianhplq.exe 38 PID 1476 wrote to memory of 1680 1476 Ndnlnm32.exe 39 PID 1476 wrote to memory of 1680 1476 Ndnlnm32.exe 39 PID 1476 wrote to memory of 1680 1476 Ndnlnm32.exe 39 PID 1476 wrote to memory of 1680 1476 Ndnlnm32.exe 39 PID 1680 wrote to memory of 1624 1680 Ocgbji32.exe 40 PID 1680 wrote to memory of 1624 1680 Ocgbji32.exe 40 PID 1680 wrote to memory of 1624 1680 Ocgbji32.exe 40 PID 1680 wrote to memory of 1624 1680 Ocgbji32.exe 40 PID 1624 wrote to memory of 1140 1624 Ooqpdj32.exe 41 PID 1624 wrote to memory of 1140 1624 Ooqpdj32.exe 41 PID 1624 wrote to memory of 1140 1624 Ooqpdj32.exe 41 PID 1624 wrote to memory of 1140 1624 Ooqpdj32.exe 41 PID 1140 wrote to memory of 2228 1140 Opplolac.exe 42 PID 1140 wrote to memory of 2228 1140 Opplolac.exe 42 PID 1140 wrote to memory of 2228 1140 Opplolac.exe 42 PID 1140 wrote to memory of 2228 1140 Opplolac.exe 42 PID 2228 wrote to memory of 1780 2228 Oihqgbhd.exe 43 PID 2228 wrote to memory of 1780 2228 Oihqgbhd.exe 43 PID 2228 wrote to memory of 1780 2228 Oihqgbhd.exe 43 PID 2228 wrote to memory of 1780 2228 Oihqgbhd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a56a86bafcce13c79b584c4ef376eea0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe33⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe34⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe35⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe36⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe37⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe38⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe39⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe40⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe42⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe43⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe44⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe45⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe47⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe48⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe49⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe51⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe52⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe53⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe54⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe55⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe56⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe57⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe58⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe60⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe61⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe62⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe63⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe64⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe65⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe66⤵PID:2024
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe67⤵PID:2880
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1272 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe69⤵PID:920
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe70⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe71⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe72⤵PID:2752
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe73⤵PID:2172
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe75⤵PID:2512
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe76⤵PID:1656
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe77⤵PID:2428
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe78⤵PID:2364
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe79⤵PID:1636
-
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe80⤵PID:2720
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe82⤵PID:2456
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe84⤵PID:1988
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe85⤵PID:2896
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe86⤵PID:2076
-
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe87⤵PID:832
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe88⤵PID:1508
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe89⤵PID:2780
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe90⤵PID:1452
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe91⤵PID:888
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe92⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe93⤵
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe94⤵PID:2492
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe96⤵PID:2408
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe97⤵PID:1644
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe98⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe99⤵PID:1408
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe100⤵PID:1920
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe101⤵PID:596
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe102⤵PID:660
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe103⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe104⤵PID:1108
-
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe105⤵PID:2036
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe106⤵PID:1092
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe107⤵PID:864
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe108⤵PID:1880
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe109⤵PID:2560
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe110⤵PID:2584
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe111⤵PID:1040
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe112⤵PID:2360
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe113⤵PID:2596
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe114⤵PID:2152
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe115⤵PID:2004
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe116⤵PID:1756
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe117⤵PID:2688
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe118⤵PID:2232
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe119⤵PID:2092
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe120⤵PID:2868
-
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe121⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-