Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 15:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe
-
Size
273KB
-
MD5
e28b59385b3bebcffda0c92d2122af20
-
SHA1
07ee4ccdb7329370b621d3fa659e9b8089e76928
-
SHA256
8d380696a82e3437e107d96498401b7b125378abe8af83948bff6d0e53c4dc8f
-
SHA512
28b4aa45544798d8b0a0dd511426b8898aa3d7f604b784e51bcb1c8ff66cf1e45ffad1c68cbb0bdbd65e06a6d024742d3fce2f41b3ee9bedc0848af25ec51176
-
SSDEEP
6144:fM4ANVp7M4ZxISR0vbQWbv/cibfvlsZRkTebwBhGv4dC+1R8pvBgL0eXkUbGKl9r:E3ANJ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqopea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnigda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe -
Executes dropped EXE 64 IoCs
pid Process 1748 Oelmai32.exe 2900 Ojieip32.exe 2996 Omgaek32.exe 2668 Oqcnfjli.exe 2648 Ogmfbd32.exe 2760 Pchpbded.exe 2568 Pnbacbac.exe 2584 Phjelg32.exe 1776 Penfelgm.exe 1952 Qaefjm32.exe 1996 Qnigda32.exe 1976 Ahakmf32.exe 376 Ampqjm32.exe 2824 Apomfh32.exe 2268 Amejeljk.exe 484 Abbbnchb.exe 1724 Bkodhe32.exe 1924 Baildokg.exe 2880 Beehencq.exe 1368 Bdjefj32.exe 772 Bdlblj32.exe 2008 Bgknheej.exe 3016 Bkfjhd32.exe 900 Ckignd32.exe 3060 Cdakgibq.exe 2888 Cjndop32.exe 1788 Cnippoha.exe 2152 Chcqpmep.exe 2844 Copfbfjj.exe 1284 Cbnbobin.exe 1796 Dbpodagk.exe 2868 Dflkdp32.exe 2792 Dhjgal32.exe 2744 Dgmglh32.exe 2596 Dngoibmo.exe 2080 Dbbkja32.exe 1216 Dhmcfkme.exe 2184 Dkkpbgli.exe 1932 Dnilobkm.exe 1820 Dqhhknjp.exe 2828 Dcfdgiid.exe 1308 Djpmccqq.exe 2256 Dmoipopd.exe 1692 Dchali32.exe 1476 Dfgmhd32.exe 1428 Dnneja32.exe 764 Dqlafm32.exe 1648 Dcknbh32.exe 1856 Eihfjo32.exe 836 Epaogi32.exe 2432 Ejgcdb32.exe 2328 Emeopn32.exe 888 Epdkli32.exe 1628 Ebbgid32.exe 1684 Eeqdep32.exe 1680 Enihne32.exe 2180 Eiomkn32.exe 2736 Ebgacddo.exe 2836 Egdilkbf.exe 2804 Ebinic32.exe 2532 Fnpnndgp.exe 1388 Faokjpfd.exe 2004 Fcmgfkeg.exe 1968 Ffkcbgek.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe 2068 e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe 1748 Oelmai32.exe 1748 Oelmai32.exe 2900 Ojieip32.exe 2900 Ojieip32.exe 2996 Omgaek32.exe 2996 Omgaek32.exe 2668 Oqcnfjli.exe 2668 Oqcnfjli.exe 2648 Ogmfbd32.exe 2648 Ogmfbd32.exe 2760 Pchpbded.exe 2760 Pchpbded.exe 2568 Pnbacbac.exe 2568 Pnbacbac.exe 2584 Phjelg32.exe 2584 Phjelg32.exe 1776 Penfelgm.exe 1776 Penfelgm.exe 1952 Qaefjm32.exe 1952 Qaefjm32.exe 1996 Qnigda32.exe 1996 Qnigda32.exe 1976 Ahakmf32.exe 1976 Ahakmf32.exe 376 Ampqjm32.exe 376 Ampqjm32.exe 2824 Apomfh32.exe 2824 Apomfh32.exe 2268 Amejeljk.exe 2268 Amejeljk.exe 484 Abbbnchb.exe 484 Abbbnchb.exe 1724 Bkodhe32.exe 1724 Bkodhe32.exe 1924 Baildokg.exe 1924 Baildokg.exe 2880 Beehencq.exe 2880 Beehencq.exe 1368 Bdjefj32.exe 1368 Bdjefj32.exe 772 Bdlblj32.exe 772 Bdlblj32.exe 2008 Bgknheej.exe 2008 Bgknheej.exe 3016 Bkfjhd32.exe 3016 Bkfjhd32.exe 900 Ckignd32.exe 900 Ckignd32.exe 3060 Cdakgibq.exe 3060 Cdakgibq.exe 2888 Cjndop32.exe 2888 Cjndop32.exe 1788 Cnippoha.exe 1788 Cnippoha.exe 2152 Chcqpmep.exe 2152 Chcqpmep.exe 2844 Copfbfjj.exe 2844 Copfbfjj.exe 1284 Cbnbobin.exe 1284 Cbnbobin.exe 1796 Dbpodagk.exe 1796 Dbpodagk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Igmdobgi.dll Bpiipf32.exe File opened for modification C:\Windows\SysWOW64\Omgaek32.exe Ojieip32.exe File opened for modification C:\Windows\SysWOW64\Ifcbodli.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Ikbkhq32.dll Jmocpado.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Ngpolo32.exe File opened for modification C:\Windows\SysWOW64\Ooeggp32.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Kaplbi32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Aemkjiem.exe Aaaoij32.exe File opened for modification C:\Windows\SysWOW64\Qnigda32.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Ccngld32.exe File created C:\Windows\SysWOW64\Nocnbmoo.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Pkjapnke.dll Dngoibmo.exe File created C:\Windows\SysWOW64\Epaogi32.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Bjlcgibn.dll Ijeghgoh.exe File created C:\Windows\SysWOW64\Nclpan32.dll Jbnhng32.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mpdnkb32.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Nejiih32.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qlkdkd32.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lkncmmle.exe File created C:\Windows\SysWOW64\Kemedbfd.dll Mgljbm32.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Akigbbni.dll Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Ojieip32.exe Oelmai32.exe File created C:\Windows\SysWOW64\Bgknheej.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Kjnifgah.dll Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Lemaif32.exe Lbnemk32.exe File opened for modification C:\Windows\SysWOW64\Pjcabmga.exe Pgeefbhm.exe File created C:\Windows\SysWOW64\Hejoiedd.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kcbakpdo.exe File created C:\Windows\SysWOW64\Pikkiijf.exe Pgioaa32.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Najdnj32.exe Nolhan32.exe File created C:\Windows\SysWOW64\Hllopfgo.dll Ggpimica.exe File created C:\Windows\SysWOW64\Oonafa32.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Pjadmnic.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Cpkbdiqb.exe File created C:\Windows\SysWOW64\Lchkpi32.dll Egllae32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Jmloladn.dll Ebinic32.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Hpapln32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Loeebl32.exe Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Obojhlbq.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Ecmkgokh.dll Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Icbimi32.exe File created C:\Windows\SysWOW64\Qlkdkd32.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Bpiipf32.exe Bmkmdk32.exe File opened for modification C:\Windows\SysWOW64\Fkckeh32.exe Fjaonpnn.exe File opened for modification C:\Windows\SysWOW64\Pggbla32.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Fileil32.dll Dfoqmo32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Bcmkhb32.dll Imfqjbli.exe File opened for modification C:\Windows\SysWOW64\Nglfapnl.exe Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Dhjgal32.exe File created C:\Windows\SysWOW64\Kifjcn32.dll Fbgmbg32.exe File created C:\Windows\SysWOW64\Kjpfgi32.dll Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Leajdfnm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4388 4364 WerFault.exe 360 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milokblc.dll" Pgeefbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampqjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpli32.dll" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbeqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeqjnho.dll" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epaogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjacko32.dll" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmkhb32.dll" Imfqjbli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keanebkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfenbpec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjobj32.dll" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkfjhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqkmbmdg.dll" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbcpbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbgodfkh.dll" Nlbeqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddcahee.dll" Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll" Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 1748 2068 e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 1748 2068 e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 1748 2068 e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 1748 2068 e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe 28 PID 1748 wrote to memory of 2900 1748 Oelmai32.exe 29 PID 1748 wrote to memory of 2900 1748 Oelmai32.exe 29 PID 1748 wrote to memory of 2900 1748 Oelmai32.exe 29 PID 1748 wrote to memory of 2900 1748 Oelmai32.exe 29 PID 2900 wrote to memory of 2996 2900 Ojieip32.exe 30 PID 2900 wrote to memory of 2996 2900 Ojieip32.exe 30 PID 2900 wrote to memory of 2996 2900 Ojieip32.exe 30 PID 2900 wrote to memory of 2996 2900 Ojieip32.exe 30 PID 2996 wrote to memory of 2668 2996 Omgaek32.exe 31 PID 2996 wrote to memory of 2668 2996 Omgaek32.exe 31 PID 2996 wrote to memory of 2668 2996 Omgaek32.exe 31 PID 2996 wrote to memory of 2668 2996 Omgaek32.exe 31 PID 2668 wrote to memory of 2648 2668 Oqcnfjli.exe 32 PID 2668 wrote to memory of 2648 2668 Oqcnfjli.exe 32 PID 2668 wrote to memory of 2648 2668 Oqcnfjli.exe 32 PID 2668 wrote to memory of 2648 2668 Oqcnfjli.exe 32 PID 2648 wrote to memory of 2760 2648 Ogmfbd32.exe 33 PID 2648 wrote to memory of 2760 2648 Ogmfbd32.exe 33 PID 2648 wrote to memory of 2760 2648 Ogmfbd32.exe 33 PID 2648 wrote to memory of 2760 2648 Ogmfbd32.exe 33 PID 2760 wrote to memory of 2568 2760 Pchpbded.exe 34 PID 2760 wrote to memory of 2568 2760 Pchpbded.exe 34 PID 2760 wrote to memory of 2568 2760 Pchpbded.exe 34 PID 2760 wrote to memory of 2568 2760 Pchpbded.exe 34 PID 2568 wrote to memory of 2584 2568 Pnbacbac.exe 35 PID 2568 wrote to memory of 2584 2568 Pnbacbac.exe 35 PID 2568 wrote to memory of 2584 2568 Pnbacbac.exe 35 PID 2568 wrote to memory of 2584 2568 Pnbacbac.exe 35 PID 2584 wrote to memory of 1776 2584 Phjelg32.exe 36 PID 2584 wrote to memory of 1776 2584 Phjelg32.exe 36 PID 2584 wrote to memory of 1776 2584 Phjelg32.exe 36 PID 2584 wrote to memory of 1776 2584 Phjelg32.exe 36 PID 1776 wrote to memory of 1952 1776 Penfelgm.exe 37 PID 1776 wrote to memory of 1952 1776 Penfelgm.exe 37 PID 1776 wrote to memory of 1952 1776 Penfelgm.exe 37 PID 1776 wrote to memory of 1952 1776 Penfelgm.exe 37 PID 1952 wrote to memory of 1996 1952 Qaefjm32.exe 38 PID 1952 wrote to memory of 1996 1952 Qaefjm32.exe 38 PID 1952 wrote to memory of 1996 1952 Qaefjm32.exe 38 PID 1952 wrote to memory of 1996 1952 Qaefjm32.exe 38 PID 1996 wrote to memory of 1976 1996 Qnigda32.exe 39 PID 1996 wrote to memory of 1976 1996 Qnigda32.exe 39 PID 1996 wrote to memory of 1976 1996 Qnigda32.exe 39 PID 1996 wrote to memory of 1976 1996 Qnigda32.exe 39 PID 1976 wrote to memory of 376 1976 Ahakmf32.exe 40 PID 1976 wrote to memory of 376 1976 Ahakmf32.exe 40 PID 1976 wrote to memory of 376 1976 Ahakmf32.exe 40 PID 1976 wrote to memory of 376 1976 Ahakmf32.exe 40 PID 376 wrote to memory of 2824 376 Ampqjm32.exe 41 PID 376 wrote to memory of 2824 376 Ampqjm32.exe 41 PID 376 wrote to memory of 2824 376 Ampqjm32.exe 41 PID 376 wrote to memory of 2824 376 Ampqjm32.exe 41 PID 2824 wrote to memory of 2268 2824 Apomfh32.exe 42 PID 2824 wrote to memory of 2268 2824 Apomfh32.exe 42 PID 2824 wrote to memory of 2268 2824 Apomfh32.exe 42 PID 2824 wrote to memory of 2268 2824 Apomfh32.exe 42 PID 2268 wrote to memory of 484 2268 Amejeljk.exe 43 PID 2268 wrote to memory of 484 2268 Amejeljk.exe 43 PID 2268 wrote to memory of 484 2268 Amejeljk.exe 43 PID 2268 wrote to memory of 484 2268 Amejeljk.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e28b59385b3bebcffda0c92d2122af20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe38⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe39⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe41⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe45⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe46⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe47⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe48⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe52⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe53⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe54⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe55⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe57⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe58⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe59⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe64⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe66⤵PID:2680
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe67⤵PID:2392
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe69⤵PID:1492
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe70⤵PID:1340
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe71⤵PID:1392
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe72⤵PID:2020
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe73⤵PID:2116
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe78⤵PID:2488
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe79⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe80⤵PID:2516
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe81⤵PID:2104
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe82⤵PID:1236
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe83⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe84⤵PID:1028
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe85⤵PID:2368
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe86⤵PID:584
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe87⤵PID:1040
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe88⤵PID:632
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe89⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe90⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe91⤵PID:1528
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe93⤵PID:2860
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe95⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe96⤵PID:1588
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe98⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe100⤵PID:2772
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe102⤵PID:2812
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe105⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe106⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe107⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe108⤵PID:2948
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe109⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe110⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe111⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe112⤵PID:1652
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe113⤵PID:2320
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe114⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe115⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe118⤵PID:2332
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe121⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-