Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 03:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe
-
Size
1.7MB
-
MD5
9ac3eab7f52d3c5b06baa94056631010
-
SHA1
b24cb96fab074ba91e46bef558760423af52ace4
-
SHA256
34e142346a9fa1d141b854694818dcf272db741f91a9502d9f56e5cf87707b30
-
SHA512
c4d0a7e042e5547164cf76b2d892eb48dff87dc3d24abe4edabee2b0212e1d6eab6d7bc5c46b9f62211b7ce3a872b4a121871f2dbc8d181e4de11d50cabbe6e2
-
SSDEEP
49152:jqAiix7/ix7yix7/ix7Xcix7/ix7yix7/ix7:j5iU/UyU/UXcU/UyU/U
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcokkak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdmcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfamfpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojknblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlnif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiihdlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe -
Executes dropped EXE 64 IoCs
pid Process 2392 Kipnfged.exe 2584 Koocdnai.exe 2636 Lhlqhb32.exe 2736 Libgjj32.exe 2612 Maphdl32.exe 2516 Mofecpnl.exe 2856 Mhnjle32.exe 2960 Naikkk32.exe 3012 Nghphaeo.exe 2496 Nnbhek32.exe 1908 Ncoamb32.exe 2692 Nlgefh32.exe 1532 Njkfpl32.exe 1748 Nmjblg32.exe 2104 Nohnhc32.exe 2044 Ofbfdmeb.exe 1168 Oojknblb.exe 1484 Odgcfijj.exe 1100 Obkdonic.exe 452 Oghlgdgk.exe 2024 Oqqapjnk.exe 1676 Okfencna.exe 1404 Ondajnme.exe 1716 Ocajbekl.exe 972 Ofpfnqjp.exe 2360 Paejki32.exe 1668 Pgobhcac.exe 2380 Pipopl32.exe 1516 Ppjglfon.exe 2196 Pjpkjond.exe 1612 Plahag32.exe 2248 Pbkpna32.exe 2128 Piehkkcl.exe 2664 Plcdgfbo.exe 872 Pfiidobe.exe 2784 Plfamfpm.exe 2724 Pndniaop.exe 1656 Pabjem32.exe 2440 Pijbfj32.exe 2828 Qjknnbed.exe 1648 Qeqbkkej.exe 2704 Qjmkcbcb.exe 780 Ahakmf32.exe 2780 Amndem32.exe 1448 Affhncfc.exe 2040 Apomfh32.exe 2088 Ajdadamj.exe 1492 Alenki32.exe 3000 Afkbib32.exe 708 Alhjai32.exe 2016 Afmonbqk.exe 1660 Boiccdnf.exe 2064 Blmdlhmp.exe 2928 Baildokg.exe 404 Bloqah32.exe 820 Balijo32.exe 2008 Bghabf32.exe 1980 Bpafkknm.exe 1880 Bhhnli32.exe 1272 Bjijdadm.exe 2600 Baqbenep.exe 2884 Bdooajdc.exe 2456 Ckignd32.exe 2096 Cgpgce32.exe -
Loads dropped DLL 64 IoCs
pid Process 1256 9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe 1256 9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe 2392 Kipnfged.exe 2392 Kipnfged.exe 2584 Koocdnai.exe 2584 Koocdnai.exe 2636 Lhlqhb32.exe 2636 Lhlqhb32.exe 2736 Libgjj32.exe 2736 Libgjj32.exe 2612 Maphdl32.exe 2612 Maphdl32.exe 2516 Mofecpnl.exe 2516 Mofecpnl.exe 2856 Mhnjle32.exe 2856 Mhnjle32.exe 2960 Naikkk32.exe 2960 Naikkk32.exe 3012 Nghphaeo.exe 3012 Nghphaeo.exe 2496 Nnbhek32.exe 2496 Nnbhek32.exe 1908 Ncoamb32.exe 1908 Ncoamb32.exe 2692 Nlgefh32.exe 2692 Nlgefh32.exe 1532 Njkfpl32.exe 1532 Njkfpl32.exe 1748 Nmjblg32.exe 1748 Nmjblg32.exe 2104 Nohnhc32.exe 2104 Nohnhc32.exe 2044 Ofbfdmeb.exe 2044 Ofbfdmeb.exe 1168 Oojknblb.exe 1168 Oojknblb.exe 1484 Odgcfijj.exe 1484 Odgcfijj.exe 1100 Obkdonic.exe 1100 Obkdonic.exe 452 Oghlgdgk.exe 452 Oghlgdgk.exe 2024 Oqqapjnk.exe 2024 Oqqapjnk.exe 1676 Okfencna.exe 1676 Okfencna.exe 1404 Ondajnme.exe 1404 Ondajnme.exe 1716 Ocajbekl.exe 1716 Ocajbekl.exe 972 Ofpfnqjp.exe 972 Ofpfnqjp.exe 2360 Paejki32.exe 2360 Paejki32.exe 1668 Pgobhcac.exe 1668 Pgobhcac.exe 2380 Pipopl32.exe 2380 Pipopl32.exe 1516 Ppjglfon.exe 1516 Ppjglfon.exe 2196 Pjpkjond.exe 2196 Pjpkjond.exe 1612 Plahag32.exe 1612 Plahag32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Plfamfpm.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Onhgbmfb.exe Okikfagn.exe File created C:\Windows\SysWOW64\Bioggp32.dll Ckdjbh32.exe File opened for modification C:\Windows\SysWOW64\Dhjgal32.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Fmcoja32.exe Flabbihl.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Malllmgi.dll Knpemf32.exe File created C:\Windows\SysWOW64\Dlfdghbq.dll Ljibgg32.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Ekgednng.dll Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Mffimglk.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Ffbicfoc.exe Fddmgjpo.exe File opened for modification C:\Windows\SysWOW64\Hhgdkjol.exe Heihnoph.exe File created C:\Windows\SysWOW64\Ofbfdmeb.exe Nohnhc32.exe File created C:\Windows\SysWOW64\Mihiih32.exe Mgimmm32.exe File created C:\Windows\SysWOW64\Lblqijln.dll Ncjqhmkm.exe File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ncmfqkdj.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dgfjbgmh.exe File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe Fejgko32.exe File opened for modification C:\Windows\SysWOW64\Lfjqnjkh.exe Lpphap32.exe File opened for modification C:\Windows\SysWOW64\Mcbjgn32.exe Mpdnkb32.exe File created C:\Windows\SysWOW64\Fdfcak32.dll Njkfpl32.exe File opened for modification C:\Windows\SysWOW64\Llcefjgf.exe Leimip32.exe File created C:\Windows\SysWOW64\Lfdmggnm.exe Lpjdjmfp.exe File created C:\Windows\SysWOW64\Kfammbdf.dll Ppjglfon.exe File opened for modification C:\Windows\SysWOW64\Naajoinb.exe Nnennj32.exe File opened for modification C:\Windows\SysWOW64\Onhgbmfb.exe Okikfagn.exe File created C:\Windows\SysWOW64\Djdfhjik.dll Moanaiie.exe File created C:\Windows\SysWOW64\Dnilobkm.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Njlockkm.exe Ngnbgplj.exe File created C:\Windows\SysWOW64\Haiccald.exe Hojgfemq.exe File opened for modification C:\Windows\SysWOW64\Monhhk32.exe Mggpgmof.exe File created C:\Windows\SysWOW64\Icdepo32.dll Gakcimgf.exe File opened for modification C:\Windows\SysWOW64\Mooaljkh.exe Mlaeonld.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lojomkdn.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Qlhpnakf.dll Gffoldhp.exe File created C:\Windows\SysWOW64\Deeieqod.dll Kegqdqbl.exe File created C:\Windows\SysWOW64\Alefel32.dll Kipnfged.exe File opened for modification C:\Windows\SysWOW64\Pbkpna32.exe Plahag32.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Emmcaafi.dll Mcbjgn32.exe File created C:\Windows\SysWOW64\Pikkiijf.exe Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Fcmbeioh.dll Pjpkjond.exe File created C:\Windows\SysWOW64\Bmamfo32.dll Mhdplq32.exe File created C:\Windows\SysWOW64\Kijmee32.dll Nglfapnl.exe File created C:\Windows\SysWOW64\Kncphpjl.dll Dfffnn32.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Goddhg32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File created C:\Windows\SysWOW64\Fbdjbaea.exe Fnhnbb32.exe File created C:\Windows\SysWOW64\Ioaifhid.exe Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Nmnace32.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fdoclk32.exe File created C:\Windows\SysWOW64\Dknekeef.exe Dhpiojfb.exe File created C:\Windows\SysWOW64\Fmmkcoap.exe Fjongcbl.exe File opened for modification C:\Windows\SysWOW64\Kbidgeci.exe Kpjhkjde.exe File opened for modification C:\Windows\SysWOW64\Ppjglfon.exe Pipopl32.exe File created C:\Windows\SysWOW64\Apimacnn.exe Aipddi32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll" Dfoqmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaqpohl.dll" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbkhq32.dll" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijgof32.dll" Ohibdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimckbco.dll" Leimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallbqdi.dll" Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Lijjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" Mlaeonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll" Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anccmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll" Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konojnki.dll" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gakcimgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdkokpa.dll" Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obojmk32.dll" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkpbk32.dll" Mamddf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2392 1256 9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe 28 PID 1256 wrote to memory of 2392 1256 9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe 28 PID 1256 wrote to memory of 2392 1256 9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe 28 PID 1256 wrote to memory of 2392 1256 9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe 28 PID 2392 wrote to memory of 2584 2392 Kipnfged.exe 29 PID 2392 wrote to memory of 2584 2392 Kipnfged.exe 29 PID 2392 wrote to memory of 2584 2392 Kipnfged.exe 29 PID 2392 wrote to memory of 2584 2392 Kipnfged.exe 29 PID 2584 wrote to memory of 2636 2584 Koocdnai.exe 30 PID 2584 wrote to memory of 2636 2584 Koocdnai.exe 30 PID 2584 wrote to memory of 2636 2584 Koocdnai.exe 30 PID 2584 wrote to memory of 2636 2584 Koocdnai.exe 30 PID 2636 wrote to memory of 2736 2636 Lhlqhb32.exe 31 PID 2636 wrote to memory of 2736 2636 Lhlqhb32.exe 31 PID 2636 wrote to memory of 2736 2636 Lhlqhb32.exe 31 PID 2636 wrote to memory of 2736 2636 Lhlqhb32.exe 31 PID 2736 wrote to memory of 2612 2736 Libgjj32.exe 32 PID 2736 wrote to memory of 2612 2736 Libgjj32.exe 32 PID 2736 wrote to memory of 2612 2736 Libgjj32.exe 32 PID 2736 wrote to memory of 2612 2736 Libgjj32.exe 32 PID 2612 wrote to memory of 2516 2612 Maphdl32.exe 33 PID 2612 wrote to memory of 2516 2612 Maphdl32.exe 33 PID 2612 wrote to memory of 2516 2612 Maphdl32.exe 33 PID 2612 wrote to memory of 2516 2612 Maphdl32.exe 33 PID 2516 wrote to memory of 2856 2516 Mofecpnl.exe 34 PID 2516 wrote to memory of 2856 2516 Mofecpnl.exe 34 PID 2516 wrote to memory of 2856 2516 Mofecpnl.exe 34 PID 2516 wrote to memory of 2856 2516 Mofecpnl.exe 34 PID 2856 wrote to memory of 2960 2856 Mhnjle32.exe 35 PID 2856 wrote to memory of 2960 2856 Mhnjle32.exe 35 PID 2856 wrote to memory of 2960 2856 Mhnjle32.exe 35 PID 2856 wrote to memory of 2960 2856 Mhnjle32.exe 35 PID 2960 wrote to memory of 3012 2960 Naikkk32.exe 36 PID 2960 wrote to memory of 3012 2960 Naikkk32.exe 36 PID 2960 wrote to memory of 3012 2960 Naikkk32.exe 36 PID 2960 wrote to memory of 3012 2960 Naikkk32.exe 36 PID 3012 wrote to memory of 2496 3012 Nghphaeo.exe 37 PID 3012 wrote to memory of 2496 3012 Nghphaeo.exe 37 PID 3012 wrote to memory of 2496 3012 Nghphaeo.exe 37 PID 3012 wrote to memory of 2496 3012 Nghphaeo.exe 37 PID 2496 wrote to memory of 1908 2496 Nnbhek32.exe 38 PID 2496 wrote to memory of 1908 2496 Nnbhek32.exe 38 PID 2496 wrote to memory of 1908 2496 Nnbhek32.exe 38 PID 2496 wrote to memory of 1908 2496 Nnbhek32.exe 38 PID 1908 wrote to memory of 2692 1908 Ncoamb32.exe 39 PID 1908 wrote to memory of 2692 1908 Ncoamb32.exe 39 PID 1908 wrote to memory of 2692 1908 Ncoamb32.exe 39 PID 1908 wrote to memory of 2692 1908 Ncoamb32.exe 39 PID 2692 wrote to memory of 1532 2692 Nlgefh32.exe 40 PID 2692 wrote to memory of 1532 2692 Nlgefh32.exe 40 PID 2692 wrote to memory of 1532 2692 Nlgefh32.exe 40 PID 2692 wrote to memory of 1532 2692 Nlgefh32.exe 40 PID 1532 wrote to memory of 1748 1532 Njkfpl32.exe 41 PID 1532 wrote to memory of 1748 1532 Njkfpl32.exe 41 PID 1532 wrote to memory of 1748 1532 Njkfpl32.exe 41 PID 1532 wrote to memory of 1748 1532 Njkfpl32.exe 41 PID 1748 wrote to memory of 2104 1748 Nmjblg32.exe 42 PID 1748 wrote to memory of 2104 1748 Nmjblg32.exe 42 PID 1748 wrote to memory of 2104 1748 Nmjblg32.exe 42 PID 1748 wrote to memory of 2104 1748 Nmjblg32.exe 42 PID 2104 wrote to memory of 2044 2104 Nohnhc32.exe 43 PID 2104 wrote to memory of 2044 2104 Nohnhc32.exe 43 PID 2104 wrote to memory of 2044 2104 Nohnhc32.exe 43 PID 2104 wrote to memory of 2044 2104 Nohnhc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9ac3eab7f52d3c5b06baa94056631010_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe33⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe34⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe36⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe38⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe40⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe41⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe42⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe43⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe44⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe45⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe46⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe47⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe48⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe49⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe51⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe53⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe54⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe56⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe59⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe60⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe62⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe63⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe64⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe65⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe66⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe68⤵PID:3028
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe69⤵PID:2536
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe70⤵PID:2060
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe71⤵PID:804
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe73⤵PID:1036
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe74⤵PID:1780
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe75⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe76⤵PID:2212
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe77⤵PID:384
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe79⤵PID:2148
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe80⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe81⤵PID:2556
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe82⤵PID:1972
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe83⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe84⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe85⤵PID:2816
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe86⤵PID:1572
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe87⤵PID:2424
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe88⤵PID:1008
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe89⤵PID:2844
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe90⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe91⤵PID:1028
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe92⤵PID:2300
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe95⤵PID:2572
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe96⤵PID:1864
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe97⤵PID:1432
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe99⤵PID:2788
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe100⤵PID:1228
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe101⤵PID:1564
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1400 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe103⤵PID:668
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe104⤵PID:912
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe105⤵PID:2132
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe106⤵PID:1112
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe107⤵PID:2740
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe108⤵PID:1588
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe109⤵PID:2616
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe111⤵PID:3100
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe112⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe113⤵PID:3180
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe114⤵PID:3220
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe115⤵PID:3260
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe116⤵
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe117⤵PID:3340
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe118⤵
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3420 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe120⤵PID:3460
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe121⤵PID:3504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-