Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 15:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe
-
Size
85KB
-
MD5
ed3e1084cb9ef7007fc5d0bffc94dd10
-
SHA1
a1a4bae035426ea1069cf6087c031b8da6cea42a
-
SHA256
c61b7fffada717229347097ae867a527c13e2f67c47ae5958cf5933415007989
-
SHA512
be25a33ee64ce43d964c44f02aa4e1fa989c2181f6fe2d7fff27d3458f01aec59d9cef32523a43eda9e7c315ab5e20daa65d4bf130dd39e005eaa10be02742d6
-
SSDEEP
1536:jlOMjroRV0eE9ZaRJw1dqbCigXoeV8s2LH9ZMQ262AjCsQ2PCZZrqOlNfVSLUK+:j8019Y+dqbr6VMHXMQH2qC7ZQOlzSLUN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplogdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komfnnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkbdlbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llccmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfpjomgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkobnqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loooca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfeimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naikkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okchhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apomfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahjpbad.exe -
Executes dropped EXE 64 IoCs
pid Process 1252 Kbcicmpj.exe 2968 Kllmmc32.exe 2636 Kbfeimng.exe 2680 Kfaajlfp.exe 2736 Kipnfged.exe 2360 Klnjbbdh.exe 2900 Komfnnck.exe 1624 Kbhbom32.exe 2748 Kegnkh32.exe 2888 Kibjkgca.exe 2332 Klqfhbbe.exe 2204 Koocdnai.exe 1516 Keikqhhe.exe 2108 Lhggmchi.exe 1156 Llccmb32.exe 668 Laplei32.exe 588 Ldnhad32.exe 572 Ldnhad32.exe 2408 Lfmdnp32.exe 1152 Lkhpnnej.exe 1556 Lodlom32.exe 328 Lmgmjjdn.exe 1660 Lpeifeca.exe 2376 Lhlqhb32.exe 2848 Lkkmdn32.exe 1704 Limmokib.exe 2716 Lmiipi32.exe 2992 Ladeqhjd.exe 2608 Lbfahp32.exe 2588 Lkmjin32.exe 1968 Lmkfei32.exe 2772 Lpjbad32.exe 1724 Ldenbcge.exe 2212 Lgdjnofi.exe 1628 Libgjj32.exe 2428 Lmnbkinf.exe 2616 Lplogdmj.exe 2820 Loooca32.exe 556 Mcjkcplm.exe 1936 Mgfgdn32.exe 1796 Midcpj32.exe 1208 Mhgclfje.exe 840 Mpolmdkg.exe 1268 Moalhq32.exe 932 Mcmhiojk.exe 112 Mekdekin.exe 2244 Migpeiag.exe 2240 Mhjpaf32.exe 2964 Mlelaeqk.exe 1644 Mkhmma32.exe 1680 Mochnppo.exe 2500 Mcodno32.exe 2760 Mabejlob.exe 2216 Menakj32.exe 2552 Mdqafgnf.exe 1548 Mhlmgf32.exe 2508 Mlgigdoh.exe 2192 Mkjica32.exe 2600 Mofecpnl.exe 1484 Mdcnlglc.exe 1540 Mhnjle32.exe 2028 Mgajhbkg.exe 904 Mohbip32.exe 2464 Mnkbdlbd.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe 2220 ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe 1252 Kbcicmpj.exe 1252 Kbcicmpj.exe 2968 Kllmmc32.exe 2968 Kllmmc32.exe 2636 Kbfeimng.exe 2636 Kbfeimng.exe 2680 Kfaajlfp.exe 2680 Kfaajlfp.exe 2736 Kipnfged.exe 2736 Kipnfged.exe 2360 Klnjbbdh.exe 2360 Klnjbbdh.exe 2900 Komfnnck.exe 2900 Komfnnck.exe 1624 Kbhbom32.exe 1624 Kbhbom32.exe 2748 Kegnkh32.exe 2748 Kegnkh32.exe 2888 Kibjkgca.exe 2888 Kibjkgca.exe 2332 Klqfhbbe.exe 2332 Klqfhbbe.exe 2204 Koocdnai.exe 2204 Koocdnai.exe 1516 Keikqhhe.exe 1516 Keikqhhe.exe 2108 Lhggmchi.exe 2108 Lhggmchi.exe 1156 Llccmb32.exe 1156 Llccmb32.exe 668 Laplei32.exe 668 Laplei32.exe 588 Ldnhad32.exe 588 Ldnhad32.exe 572 Ldnhad32.exe 572 Ldnhad32.exe 2408 Lfmdnp32.exe 2408 Lfmdnp32.exe 1152 Lkhpnnej.exe 1152 Lkhpnnej.exe 1556 Lodlom32.exe 1556 Lodlom32.exe 328 Lmgmjjdn.exe 328 Lmgmjjdn.exe 1660 Lpeifeca.exe 1660 Lpeifeca.exe 2376 Lhlqhb32.exe 2376 Lhlqhb32.exe 2848 Lkkmdn32.exe 2848 Lkkmdn32.exe 1704 Limmokib.exe 1704 Limmokib.exe 2716 Lmiipi32.exe 2716 Lmiipi32.exe 2992 Ladeqhjd.exe 2992 Ladeqhjd.exe 2608 Lbfahp32.exe 2608 Lbfahp32.exe 2588 Lkmjin32.exe 2588 Lkmjin32.exe 1968 Lmkfei32.exe 1968 Lmkfei32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qjhccbfb.dll Lpjbad32.exe File created C:\Windows\SysWOW64\Mefagn32.dll Qlhnbf32.exe File created C:\Windows\SysWOW64\Cdcfgc32.dll Aalmklfi.exe File created C:\Windows\SysWOW64\Afiecb32.exe Abmibdlh.exe File opened for modification C:\Windows\SysWOW64\Alhjai32.exe Aiinen32.exe File created C:\Windows\SysWOW64\Nqhenocn.dll Kegnkh32.exe File created C:\Windows\SysWOW64\Keikqhhe.exe Koocdnai.exe File created C:\Windows\SysWOW64\Lmiipi32.exe Limmokib.exe File opened for modification C:\Windows\SysWOW64\Bbflib32.exe Bokphdld.exe File created C:\Windows\SysWOW64\Bhfagipa.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Ihomanac.dll Begeknan.exe File created C:\Windows\SysWOW64\Cbamcl32.dll Chemfl32.exe File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe Cfinoq32.exe File opened for modification C:\Windows\SysWOW64\Nnplpl32.exe Njdpomfe.exe File opened for modification C:\Windows\SysWOW64\Oqqapjnk.exe Onbddoog.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Piehkkcl.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Efppoc32.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Idceea32.exe File created C:\Windows\SysWOW64\Ndjdlffl.exe Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Apajlhka.exe Alenki32.exe File created C:\Windows\SysWOW64\Pdfdcg32.dll Bkodhe32.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Komfnnck.exe Klnjbbdh.exe File created C:\Windows\SysWOW64\Bdooajdc.exe Baqbenep.exe File created C:\Windows\SysWOW64\Djefobmk.exe Doobajme.exe File created C:\Windows\SysWOW64\Aepojo32.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Cfbhnaho.exe Cgpgce32.exe File created C:\Windows\SysWOW64\Maomqp32.dll Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Lmiipi32.exe Limmokib.exe File opened for modification C:\Windows\SysWOW64\Pbkpna32.exe Pchpbded.exe File created C:\Windows\SysWOW64\Qagcpljo.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Odegpj32.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Ppamme32.exe Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Kegnkh32.exe Kbhbom32.exe File created C:\Windows\SysWOW64\Hlbpenqj.dll Loooca32.exe File opened for modification C:\Windows\SysWOW64\Ndjdlffl.exe Npnhlg32.exe File created C:\Windows\SysWOW64\Pfdpip32.exe Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Bcaomf32.exe Bdooajdc.exe File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe Dnlidb32.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Mpolmdkg.exe Mhgclfje.exe File created C:\Windows\SysWOW64\Onbddoog.exe Ojficpfn.exe File opened for modification C:\Windows\SysWOW64\Paggai32.exe Pmlkpjpj.exe File created C:\Windows\SysWOW64\Ckggkg32.dll Qnigda32.exe File opened for modification C:\Windows\SysWOW64\Ccfhhffh.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Mpjoqhah.exe Magnek32.exe File created C:\Windows\SysWOW64\Ifjcng32.dll Nfpjomgd.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Hjlobf32.dll Nfkpdn32.exe File opened for modification C:\Windows\SysWOW64\Onphoo32.exe Oomhcbjp.exe File created C:\Windows\SysWOW64\Kfammbdf.dll Pfdpip32.exe File opened for modification C:\Windows\SysWOW64\Pdamlbjc.dll Qagcpljo.exe File created C:\Windows\SysWOW64\Mcjkcplm.exe Loooca32.exe File opened for modification C:\Windows\SysWOW64\Naikkk32.exe Nnnojlpa.exe File created C:\Windows\SysWOW64\Mfcngp32.dll Nplkfgoe.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Elmigj32.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Henidd32.exe File created C:\Windows\SysWOW64\Bjmgnnib.dll Menakj32.exe File opened for modification C:\Windows\SysWOW64\Ncoamb32.exe Nocemcbj.exe File created C:\Windows\SysWOW64\Plfamfpm.exe Phjelg32.exe File created C:\Windows\SysWOW64\Qagcpljo.exe Qmlgonbe.exe File opened for modification C:\Windows\SysWOW64\Ddagfm32.exe Dbbkja32.exe File opened for modification C:\Windows\SysWOW64\Mochnppo.exe Mkhmma32.exe File opened for modification C:\Windows\SysWOW64\Ofbfdmeb.exe Nbfjdn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4540 4468 WerFault.exe 420 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdejaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqqcc32.dll" Lmgmjjdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacpn32.dll" Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obkdonic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqqdag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgjec32.dll" Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnelgk32.dll" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdcdhpk.dll" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdppp32.dll" Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagpopmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjijdadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedlancd.dll" Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnpqjl.dll" Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Plcdgfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfjfiam.dll" Lmiipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mabejlob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmjii32.dll" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchpbded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piehkkcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjmkcbcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdoneabg.dll" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damgbk32.dll" Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpnnmjg.dll" Nbdnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhljm32.dll" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1252 2220 ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1252 2220 ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1252 2220 ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1252 2220 ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 2968 1252 Kbcicmpj.exe 29 PID 1252 wrote to memory of 2968 1252 Kbcicmpj.exe 29 PID 1252 wrote to memory of 2968 1252 Kbcicmpj.exe 29 PID 1252 wrote to memory of 2968 1252 Kbcicmpj.exe 29 PID 2968 wrote to memory of 2636 2968 Kllmmc32.exe 30 PID 2968 wrote to memory of 2636 2968 Kllmmc32.exe 30 PID 2968 wrote to memory of 2636 2968 Kllmmc32.exe 30 PID 2968 wrote to memory of 2636 2968 Kllmmc32.exe 30 PID 2636 wrote to memory of 2680 2636 Kbfeimng.exe 31 PID 2636 wrote to memory of 2680 2636 Kbfeimng.exe 31 PID 2636 wrote to memory of 2680 2636 Kbfeimng.exe 31 PID 2636 wrote to memory of 2680 2636 Kbfeimng.exe 31 PID 2680 wrote to memory of 2736 2680 Kfaajlfp.exe 32 PID 2680 wrote to memory of 2736 2680 Kfaajlfp.exe 32 PID 2680 wrote to memory of 2736 2680 Kfaajlfp.exe 32 PID 2680 wrote to memory of 2736 2680 Kfaajlfp.exe 32 PID 2736 wrote to memory of 2360 2736 Kipnfged.exe 33 PID 2736 wrote to memory of 2360 2736 Kipnfged.exe 33 PID 2736 wrote to memory of 2360 2736 Kipnfged.exe 33 PID 2736 wrote to memory of 2360 2736 Kipnfged.exe 33 PID 2360 wrote to memory of 2900 2360 Klnjbbdh.exe 34 PID 2360 wrote to memory of 2900 2360 Klnjbbdh.exe 34 PID 2360 wrote to memory of 2900 2360 Klnjbbdh.exe 34 PID 2360 wrote to memory of 2900 2360 Klnjbbdh.exe 34 PID 2900 wrote to memory of 1624 2900 Komfnnck.exe 35 PID 2900 wrote to memory of 1624 2900 Komfnnck.exe 35 PID 2900 wrote to memory of 1624 2900 Komfnnck.exe 35 PID 2900 wrote to memory of 1624 2900 Komfnnck.exe 35 PID 1624 wrote to memory of 2748 1624 Kbhbom32.exe 36 PID 1624 wrote to memory of 2748 1624 Kbhbom32.exe 36 PID 1624 wrote to memory of 2748 1624 Kbhbom32.exe 36 PID 1624 wrote to memory of 2748 1624 Kbhbom32.exe 36 PID 2748 wrote to memory of 2888 2748 Kegnkh32.exe 37 PID 2748 wrote to memory of 2888 2748 Kegnkh32.exe 37 PID 2748 wrote to memory of 2888 2748 Kegnkh32.exe 37 PID 2748 wrote to memory of 2888 2748 Kegnkh32.exe 37 PID 2888 wrote to memory of 2332 2888 Kibjkgca.exe 38 PID 2888 wrote to memory of 2332 2888 Kibjkgca.exe 38 PID 2888 wrote to memory of 2332 2888 Kibjkgca.exe 38 PID 2888 wrote to memory of 2332 2888 Kibjkgca.exe 38 PID 2332 wrote to memory of 2204 2332 Klqfhbbe.exe 39 PID 2332 wrote to memory of 2204 2332 Klqfhbbe.exe 39 PID 2332 wrote to memory of 2204 2332 Klqfhbbe.exe 39 PID 2332 wrote to memory of 2204 2332 Klqfhbbe.exe 39 PID 2204 wrote to memory of 1516 2204 Koocdnai.exe 40 PID 2204 wrote to memory of 1516 2204 Koocdnai.exe 40 PID 2204 wrote to memory of 1516 2204 Koocdnai.exe 40 PID 2204 wrote to memory of 1516 2204 Koocdnai.exe 40 PID 1516 wrote to memory of 2108 1516 Keikqhhe.exe 41 PID 1516 wrote to memory of 2108 1516 Keikqhhe.exe 41 PID 1516 wrote to memory of 2108 1516 Keikqhhe.exe 41 PID 1516 wrote to memory of 2108 1516 Keikqhhe.exe 41 PID 2108 wrote to memory of 1156 2108 Lhggmchi.exe 42 PID 2108 wrote to memory of 1156 2108 Lhggmchi.exe 42 PID 2108 wrote to memory of 1156 2108 Lhggmchi.exe 42 PID 2108 wrote to memory of 1156 2108 Lhggmchi.exe 42 PID 1156 wrote to memory of 668 1156 Llccmb32.exe 43 PID 1156 wrote to memory of 668 1156 Llccmb32.exe 43 PID 1156 wrote to memory of 668 1156 Llccmb32.exe 43 PID 1156 wrote to memory of 668 1156 Llccmb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ed3e1084cb9ef7007fc5d0bffc94dd10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe34⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe35⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe36⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe41⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe42⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe46⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe47⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe48⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe49⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe52⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe57⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe58⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe59⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe60⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe61⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe62⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe63⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe66⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe67⤵PID:1588
-
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe68⤵
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe69⤵PID:2580
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe71⤵PID:340
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe72⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe74⤵PID:2200
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe75⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe76⤵PID:1760
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe77⤵PID:1808
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe78⤵PID:2232
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe79⤵PID:692
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe81⤵PID:1564
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe83⤵PID:3060
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe84⤵PID:2268
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe85⤵PID:564
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe86⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe88⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe90⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe92⤵PID:2336
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe93⤵PID:1580
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe94⤵PID:2892
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe95⤵PID:1848
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe97⤵PID:2004
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe98⤵PID:2740
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe99⤵PID:2536
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe100⤵PID:2068
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe101⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe103⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe104⤵PID:3052
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe105⤵PID:2796
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe106⤵PID:2380
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe107⤵PID:1652
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe108⤵PID:1428
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe111⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe113⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe115⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe116⤵PID:2884
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe117⤵PID:1748
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe118⤵PID:3000
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe119⤵PID:2472
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe120⤵PID:2896
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe121⤵PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-