Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 00:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe
-
Size
790KB
-
MD5
5fcc63341b346565afaa7653b380c93d
-
SHA1
b1669451002e9b06b0ba93851a90bd60141537a0
-
SHA256
00190e880088e70d1eada4a0979e7e560da4d45405876b59f6b6b516e49c3101
-
SHA512
77205055ec6ae204eb6c883ba7a44ff83329574c3921c5c07910e5ce1966a7ded349b6a488c5a166a644b708f3098bf36d5de1b5f8b8ef4c58043c8637edff68
-
SSDEEP
6144:z2J3/5zplwFM6234lKmwr8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqko:z2vpmFB24lA87g7/VycgE81lgxaa79y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgjednf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahogc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fimoiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbpeoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccnifd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecpjfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpffje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooclji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfofol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilnmdgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bepjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilabmedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppfafcpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinhdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akadpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfpih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qldhkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoomflpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hicqmmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Geeemeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppopja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnpkflne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgknkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngbmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojpomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpdbloof.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 Kneicieh.exe 2704 Knjbnh32.exe 2600 Kcihlong.exe 2880 Lpdbloof.exe 2720 Lkppbl32.exe 3004 Mkeimlfm.exe 2832 Meagci32.exe 1340 Mpigfa32.exe 1572 Nialog32.exe 1456 Nkbhgojk.exe 976 Nehmdhja.exe 2676 Nncahjgl.exe 2036 Nkgbbo32.exe 2244 Ndpfkdmf.exe 2800 Nnhkcj32.exe 1772 Ndbcpd32.exe 2220 Ogblbo32.exe 1152 Olpdjf32.exe 1660 Ocimgp32.exe 948 Oqmmpd32.exe 1668 Bblogakg.exe 2656 Biicik32.exe 2392 Ckjpacfp.exe 2000 Cgcmlcja.exe 2132 Cnmehnan.exe 2100 Cnobnmpl.exe 2608 Dgjclbdi.exe 2708 Doehqead.exe 2060 Dlkepi32.exe 2744 Dojald32.exe 2460 Dfffnn32.exe 2516 Dggcffhg.exe 2856 Edkcojga.exe 2876 Endhhp32.exe 484 Emieil32.exe 2768 Eccmffjf.exe 2956 Egafleqm.exe 1628 Ejobhppq.exe 3008 Fidoim32.exe 1176 Fpngfgle.exe 2924 Fmbhok32.exe 1904 Fbopgb32.exe 1972 Fiihdlpc.exe 2008 Fadminnn.exe 1956 Fljafg32.exe 1312 Febfomdd.exe 888 Fllnlg32.exe 1560 Gedbdlbb.exe 1440 Gpncej32.exe 2388 Gjdhbc32.exe 2336 Ganpomec.exe 2432 Gjfdhbld.exe 1620 Glgaok32.exe 2740 Gbaileio.exe 2732 Gebbnpfp.exe 2468 Hpgfki32.exe 2204 Hedocp32.exe 2976 Hbhomd32.exe 1320 Hhehek32.exe 2776 Hanlnp32.exe 1976 Hgjefg32.exe 1852 Hpbiommg.exe 1072 Hhjapjmi.exe 3040 Hiknhbcg.exe -
Loads dropped DLL 64 IoCs
pid Process 2180 5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe 2180 5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe 2888 Kneicieh.exe 2888 Kneicieh.exe 2704 Knjbnh32.exe 2704 Knjbnh32.exe 2600 Kcihlong.exe 2600 Kcihlong.exe 2880 Lpdbloof.exe 2880 Lpdbloof.exe 2720 Lkppbl32.exe 2720 Lkppbl32.exe 3004 Mkeimlfm.exe 3004 Mkeimlfm.exe 2832 Meagci32.exe 2832 Meagci32.exe 1340 Mpigfa32.exe 1340 Mpigfa32.exe 1572 Nialog32.exe 1572 Nialog32.exe 1456 Nkbhgojk.exe 1456 Nkbhgojk.exe 976 Nehmdhja.exe 976 Nehmdhja.exe 2676 Nncahjgl.exe 2676 Nncahjgl.exe 2036 Nkgbbo32.exe 2036 Nkgbbo32.exe 2244 Ndpfkdmf.exe 2244 Ndpfkdmf.exe 2800 Nnhkcj32.exe 2800 Nnhkcj32.exe 1772 Ndbcpd32.exe 1772 Ndbcpd32.exe 2220 Ogblbo32.exe 2220 Ogblbo32.exe 1152 Olpdjf32.exe 1152 Olpdjf32.exe 1660 Ocimgp32.exe 1660 Ocimgp32.exe 948 Oqmmpd32.exe 948 Oqmmpd32.exe 1668 Bblogakg.exe 1668 Bblogakg.exe 2656 Biicik32.exe 2656 Biicik32.exe 2392 Ckjpacfp.exe 2392 Ckjpacfp.exe 2000 Cgcmlcja.exe 2000 Cgcmlcja.exe 2132 Cnmehnan.exe 2132 Cnmehnan.exe 1480 Cnaocmmi.exe 1480 Cnaocmmi.exe 2608 Dgjclbdi.exe 2608 Dgjclbdi.exe 2708 Doehqead.exe 2708 Doehqead.exe 2060 Dlkepi32.exe 2060 Dlkepi32.exe 2744 Dojald32.exe 2744 Dojald32.exe 2460 Dfffnn32.exe 2460 Dfffnn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iichjc32.exe Ipjdameg.exe File created C:\Windows\SysWOW64\Bogjaamh.exe Bjjaikoa.exe File opened for modification C:\Windows\SysWOW64\Plndcmmj.exe Process not Found File created C:\Windows\SysWOW64\Cjdfoo32.dll Process not Found File created C:\Windows\SysWOW64\Mjjdacik.exe Mpdqdkie.exe File opened for modification C:\Windows\SysWOW64\Pkljdj32.exe Pdbahpec.exe File opened for modification C:\Windows\SysWOW64\Hjcppidk.exe Hblgnkdh.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Npdmdbpm.dll Process not Found File created C:\Windows\SysWOW64\Aflfjc32.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Ddkgbc32.exe Process not Found File created C:\Windows\SysWOW64\Panfjh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kgjjndeq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oeeecekc.exe Ookmfk32.exe File created C:\Windows\SysWOW64\Agdjkogm.exe Aeenochi.exe File created C:\Windows\SysWOW64\Mmkehj32.dll Lgpiij32.exe File created C:\Windows\SysWOW64\Gcokiaji.exe Gmecmg32.exe File opened for modification C:\Windows\SysWOW64\Gedbdlbb.exe Fllnlg32.exe File created C:\Windows\SysWOW64\Ffcnqe32.dll Process not Found File created C:\Windows\SysWOW64\Ggkqmoma.exe Gqahqd32.exe File created C:\Windows\SysWOW64\Legaoehg.exe Laleof32.exe File created C:\Windows\SysWOW64\Baefnmml.exe Bogjaamh.exe File created C:\Windows\SysWOW64\Bjmbqhif.exe Bepjha32.exe File created C:\Windows\SysWOW64\Mbdpeq32.dll Mfglep32.exe File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe Deondj32.exe File opened for modification C:\Windows\SysWOW64\Nkobpmlo.exe Nbfnggeo.exe File created C:\Windows\SysWOW64\Mfmqmgbm.exe Mnblhddb.exe File created C:\Windows\SysWOW64\Onfabgch.exe Nqbaic32.exe File created C:\Windows\SysWOW64\Jhnlkifo.dll Gpncej32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Bafple32.dll Heealhla.exe File created C:\Windows\SysWOW64\Ghbljk32.exe Gecpnp32.exe File created C:\Windows\SysWOW64\Bjjaikoa.exe Bacihmoo.exe File opened for modification C:\Windows\SysWOW64\Djocbqpb.exe Dhpgfeao.exe File created C:\Windows\SysWOW64\Peipigfb.dll Dpgcip32.exe File created C:\Windows\SysWOW64\Mmicfh32.exe Mbcoio32.exe File created C:\Windows\SysWOW64\Injlkf32.exe Process not Found File created C:\Windows\SysWOW64\Fpcgndfi.dll Gdegfn32.exe File created C:\Windows\SysWOW64\Bfjkphjd.exe Process not Found File created C:\Windows\SysWOW64\Alaccj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alaccj32.exe Process not Found File created C:\Windows\SysWOW64\Mpefbfgo.dll Process not Found File created C:\Windows\SysWOW64\Kneicieh.exe 5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Obokcqhk.exe Opqoge32.exe File opened for modification C:\Windows\SysWOW64\Mkcplien.exe Mdigoo32.exe File opened for modification C:\Windows\SysWOW64\Ghaeoe32.exe Process not Found File created C:\Windows\SysWOW64\Lpcafg32.dll Process not Found File created C:\Windows\SysWOW64\Pajeanhf.exe Process not Found File created C:\Windows\SysWOW64\Ocdqlmmg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gjlgfaco.exe Gbqbaofc.exe File created C:\Windows\SysWOW64\Dlgnmb32.exe Dbojdmcd.exe File created C:\Windows\SysWOW64\Cceogcfj.exe Cmkfji32.exe File opened for modification C:\Windows\SysWOW64\Mnpobefe.exe Mploiq32.exe File opened for modification C:\Windows\SysWOW64\Ibhndp32.exe Ilofhffj.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Lfbdci32.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Kageia32.exe File opened for modification C:\Windows\SysWOW64\Dnnhbjnk.exe Djqoll32.exe File created C:\Windows\SysWOW64\Blhoaobk.dll Gjicfk32.exe File created C:\Windows\SysWOW64\Fhgkakgl.dll Eanldqgf.exe File created C:\Windows\SysWOW64\Ohipla32.exe Oaogognm.exe File opened for modification C:\Windows\SysWOW64\Faonom32.exe Fdkmeiei.exe File created C:\Windows\SysWOW64\Fmbfnakd.dll Ahedjb32.exe File created C:\Windows\SysWOW64\Epqgopbi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fmbgageq.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4452 3656 Process not Found 1517 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abhkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdjjm32.dll" Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ladebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcmnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnpoh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djqoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecikhmn.dll" Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhkeohhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjglq32.dll" Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qngmgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkjfakb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpffje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djiqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll" Bobhal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iajemnia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkegeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Laleof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaipghcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcejc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhhabcc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpjflkfg.dll" Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfhkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojcqog32.dll" Ldbofgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdehfdg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgdipbc.dll" Bjmbqhif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Liklhmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmaomdn.dll" Ppcbgkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamnel32.dll" Momfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmaidb32.dll" Ehoocgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnihdemo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2888 2180 5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2888 2180 5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2888 2180 5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2888 2180 5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe 28 PID 2888 wrote to memory of 2704 2888 Kneicieh.exe 29 PID 2888 wrote to memory of 2704 2888 Kneicieh.exe 29 PID 2888 wrote to memory of 2704 2888 Kneicieh.exe 29 PID 2888 wrote to memory of 2704 2888 Kneicieh.exe 29 PID 2704 wrote to memory of 2600 2704 Knjbnh32.exe 30 PID 2704 wrote to memory of 2600 2704 Knjbnh32.exe 30 PID 2704 wrote to memory of 2600 2704 Knjbnh32.exe 30 PID 2704 wrote to memory of 2600 2704 Knjbnh32.exe 30 PID 2600 wrote to memory of 2880 2600 Kcihlong.exe 31 PID 2600 wrote to memory of 2880 2600 Kcihlong.exe 31 PID 2600 wrote to memory of 2880 2600 Kcihlong.exe 31 PID 2600 wrote to memory of 2880 2600 Kcihlong.exe 31 PID 2880 wrote to memory of 2720 2880 Lpdbloof.exe 32 PID 2880 wrote to memory of 2720 2880 Lpdbloof.exe 32 PID 2880 wrote to memory of 2720 2880 Lpdbloof.exe 32 PID 2880 wrote to memory of 2720 2880 Lpdbloof.exe 32 PID 2720 wrote to memory of 3004 2720 Lkppbl32.exe 33 PID 2720 wrote to memory of 3004 2720 Lkppbl32.exe 33 PID 2720 wrote to memory of 3004 2720 Lkppbl32.exe 33 PID 2720 wrote to memory of 3004 2720 Lkppbl32.exe 33 PID 3004 wrote to memory of 2832 3004 Mkeimlfm.exe 34 PID 3004 wrote to memory of 2832 3004 Mkeimlfm.exe 34 PID 3004 wrote to memory of 2832 3004 Mkeimlfm.exe 34 PID 3004 wrote to memory of 2832 3004 Mkeimlfm.exe 34 PID 2832 wrote to memory of 1340 2832 Meagci32.exe 35 PID 2832 wrote to memory of 1340 2832 Meagci32.exe 35 PID 2832 wrote to memory of 1340 2832 Meagci32.exe 35 PID 2832 wrote to memory of 1340 2832 Meagci32.exe 35 PID 1340 wrote to memory of 1572 1340 Mpigfa32.exe 36 PID 1340 wrote to memory of 1572 1340 Mpigfa32.exe 36 PID 1340 wrote to memory of 1572 1340 Mpigfa32.exe 36 PID 1340 wrote to memory of 1572 1340 Mpigfa32.exe 36 PID 1572 wrote to memory of 1456 1572 Nialog32.exe 37 PID 1572 wrote to memory of 1456 1572 Nialog32.exe 37 PID 1572 wrote to memory of 1456 1572 Nialog32.exe 37 PID 1572 wrote to memory of 1456 1572 Nialog32.exe 37 PID 1456 wrote to memory of 976 1456 Nkbhgojk.exe 38 PID 1456 wrote to memory of 976 1456 Nkbhgojk.exe 38 PID 1456 wrote to memory of 976 1456 Nkbhgojk.exe 38 PID 1456 wrote to memory of 976 1456 Nkbhgojk.exe 38 PID 976 wrote to memory of 2676 976 Nehmdhja.exe 39 PID 976 wrote to memory of 2676 976 Nehmdhja.exe 39 PID 976 wrote to memory of 2676 976 Nehmdhja.exe 39 PID 976 wrote to memory of 2676 976 Nehmdhja.exe 39 PID 2676 wrote to memory of 2036 2676 Nncahjgl.exe 40 PID 2676 wrote to memory of 2036 2676 Nncahjgl.exe 40 PID 2676 wrote to memory of 2036 2676 Nncahjgl.exe 40 PID 2676 wrote to memory of 2036 2676 Nncahjgl.exe 40 PID 2036 wrote to memory of 2244 2036 Nkgbbo32.exe 41 PID 2036 wrote to memory of 2244 2036 Nkgbbo32.exe 41 PID 2036 wrote to memory of 2244 2036 Nkgbbo32.exe 41 PID 2036 wrote to memory of 2244 2036 Nkgbbo32.exe 41 PID 2244 wrote to memory of 2800 2244 Ndpfkdmf.exe 42 PID 2244 wrote to memory of 2800 2244 Ndpfkdmf.exe 42 PID 2244 wrote to memory of 2800 2244 Ndpfkdmf.exe 42 PID 2244 wrote to memory of 2800 2244 Ndpfkdmf.exe 42 PID 2800 wrote to memory of 1772 2800 Nnhkcj32.exe 43 PID 2800 wrote to memory of 1772 2800 Nnhkcj32.exe 43 PID 2800 wrote to memory of 1772 2800 Nnhkcj32.exe 43 PID 2800 wrote to memory of 1772 2800 Nnhkcj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5fcc63341b346565afaa7653b380c93d_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe27⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe28⤵
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe34⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe35⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe36⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe37⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe38⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe39⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe40⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe41⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe42⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe43⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe44⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe47⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe48⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe50⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe53⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe54⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe55⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe56⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe57⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe58⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe59⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe61⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe62⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe63⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe64⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe65⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe67⤵PID:1612
-
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe68⤵PID:1080
-
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe69⤵PID:1924
-
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe70⤵PID:3032
-
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe71⤵PID:344
-
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe72⤵PID:2240
-
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe73⤵PID:1900
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe74⤵PID:1504
-
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe75⤵PID:2064
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe76⤵PID:1876
-
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe77⤵PID:2464
-
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe78⤵PID:3000
-
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe79⤵PID:2668
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe80⤵PID:624
-
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe81⤵PID:1948
-
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe82⤵PID:448
-
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe83⤵PID:1568
-
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe84⤵PID:896
-
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe85⤵PID:3036
-
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe86⤵PID:2780
-
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe87⤵PID:1468
-
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe88⤵PID:2784
-
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe89⤵PID:2140
-
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe90⤵PID:992
-
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe91⤵PID:2728
-
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe92⤵PID:2588
-
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe93⤵PID:1636
-
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe94⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe95⤵PID:2012
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe96⤵PID:2300
-
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe97⤵PID:1692
-
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe98⤵PID:1944
-
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe99⤵PID:1696
-
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe100⤵PID:1404
-
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe101⤵PID:1448
-
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe102⤵PID:2788
-
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe103⤵PID:2380
-
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe104⤵PID:2576
-
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe105⤵PID:2692
-
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe106⤵PID:2544
-
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe108⤵PID:1372
-
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe109⤵PID:2040
-
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe110⤵PID:2564
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe111⤵PID:408
-
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe112⤵PID:2352
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe113⤵PID:1676
-
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe114⤵PID:824
-
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe115⤵PID:1848
-
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe116⤵PID:1524
-
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe117⤵PID:2424
-
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe118⤵PID:2628
-
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe119⤵PID:2360
-
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe120⤵PID:1424
-
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe121⤵
- Drops file in System32 directory
PID:320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-