Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 03:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe
-
Size
419KB
-
MD5
0d8b8ee98c9df06b472e7cbd22071b40
-
SHA1
f36697644bbd4662f5962da3475c7c2cb2e6d0c0
-
SHA256
2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be
-
SHA512
e9d1ad2ef4c6f6b4f77e18924f94d5dc9ac0bea11b5c9601c1b77511b017725a827b9a3551cea51d5c092720083e213b869bdc77f3ee19c1f0700a569b317d4b
-
SSDEEP
6144:FP2QNkSDe9VByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R1L/gBSfGmtE1se:sSQByvNv54B9f01ZmHByvNv5fJPGs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnlacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjnmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cinfhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqlhdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmihhelk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmcbbki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikojfgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keanebkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajcde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilncom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdplq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bonoflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apalea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpbiommg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picnndmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe -
Executes dropped EXE 64 IoCs
pid Process 1072 Ckffgg32.exe 2988 Dngoibmo.exe 2644 Ddcdkl32.exe 2432 Dchali32.exe 2448 Djefobmk.exe 2420 Epdkli32.exe 2700 Epfhbign.exe 2948 Eiomkn32.exe 2952 Fjdbnf32.exe 1696 Fcmgfkeg.exe 2712 Fdapak32.exe 1252 Ffbicfoc.exe 672 Ghfbqn32.exe 776 Gbkgnfbd.exe 2868 Gacpdbej.exe 648 Gogangdc.exe 1856 Hnojdcfi.exe 2372 Hdhbam32.exe 832 Hpocfncj.exe 1528 Hgilchkf.exe 768 Hcplhi32.exe 908 Henidd32.exe 1916 Hogmmjfo.exe 784 Ieqeidnl.exe 1804 Ifcbodli.exe 1924 Ihankokm.exe 1580 Iajcde32.exe 2184 Inqcif32.exe 2532 Ikddbj32.exe 2656 Imfqjbli.exe 2732 Icpigm32.exe 2620 Jqdipqbp.exe 2440 Joifam32.exe 660 Jcdbbloa.exe 2784 Jcgogk32.exe 2944 Jkbcln32.exe 1700 Jfghif32.exe 1472 Jkdpanhg.exe 2668 Kkgmgmfd.exe 1244 Kneicieh.exe 1628 Kcbakpdo.exe 2688 Keanebkb.exe 2408 Kpkofpgq.exe 1852 Kgbggnhc.exe 840 Kpmlkp32.exe 1996 Kfgdhjmk.exe 1348 Lpphap32.exe 2012 Lbnemk32.exe 620 Lpbefoai.exe 1948 Lbqabkql.exe 2832 Leonofpp.exe 2204 Lhmjkaoc.exe 2828 Lpdbloof.exe 2528 Limfed32.exe 2724 Lkncmmle.exe 2540 Lbeknj32.exe 2428 Lecgje32.exe 2804 Lkppbl32.exe 2764 Mhdplq32.exe 2664 Mkclhl32.exe 1440 Mppepcfg.exe 2524 Mgimmm32.exe 1284 Mkeimlfm.exe 2120 Mpbaebdd.exe -
Loads dropped DLL 64 IoCs
pid Process 3008 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe 3008 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe 1072 Ckffgg32.exe 1072 Ckffgg32.exe 2988 Dngoibmo.exe 2988 Dngoibmo.exe 2644 Ddcdkl32.exe 2644 Ddcdkl32.exe 2432 Dchali32.exe 2432 Dchali32.exe 2448 Djefobmk.exe 2448 Djefobmk.exe 2420 Epdkli32.exe 2420 Epdkli32.exe 2700 Epfhbign.exe 2700 Epfhbign.exe 2948 Eiomkn32.exe 2948 Eiomkn32.exe 2952 Fjdbnf32.exe 2952 Fjdbnf32.exe 1696 Fcmgfkeg.exe 1696 Fcmgfkeg.exe 2712 Fdapak32.exe 2712 Fdapak32.exe 1252 Ffbicfoc.exe 1252 Ffbicfoc.exe 672 Ghfbqn32.exe 672 Ghfbqn32.exe 776 Gbkgnfbd.exe 776 Gbkgnfbd.exe 2868 Gacpdbej.exe 2868 Gacpdbej.exe 648 Gogangdc.exe 648 Gogangdc.exe 1856 Hnojdcfi.exe 1856 Hnojdcfi.exe 2372 Hdhbam32.exe 2372 Hdhbam32.exe 832 Hpocfncj.exe 832 Hpocfncj.exe 1528 Hgilchkf.exe 1528 Hgilchkf.exe 768 Hcplhi32.exe 768 Hcplhi32.exe 908 Henidd32.exe 908 Henidd32.exe 1916 Hogmmjfo.exe 1916 Hogmmjfo.exe 784 Ieqeidnl.exe 784 Ieqeidnl.exe 1804 Ifcbodli.exe 1804 Ifcbodli.exe 1924 Ihankokm.exe 1924 Ihankokm.exe 1580 Iajcde32.exe 1580 Iajcde32.exe 2184 Inqcif32.exe 2184 Inqcif32.exe 2532 Ikddbj32.exe 2532 Ikddbj32.exe 2656 Imfqjbli.exe 2656 Imfqjbli.exe 2732 Icpigm32.exe 2732 Icpigm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Pmdjdh32.exe File created C:\Windows\SysWOW64\Jjifqd32.dll Aidnohbk.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Echfaf32.exe File created C:\Windows\SysWOW64\Anlfbi32.exe Akmjfn32.exe File created C:\Windows\SysWOW64\Imfqjbli.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Bcinmgng.dll Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Ekelld32.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Bedolome.dll Jcjdpj32.exe File opened for modification C:\Windows\SysWOW64\Meijhc32.exe Mpmapm32.exe File created C:\Windows\SysWOW64\Dfglke32.dll Oohqqlei.exe File created C:\Windows\SysWOW64\Abjebn32.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Jcjdpj32.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Gcopbn32.dll Lmebnb32.exe File created C:\Windows\SysWOW64\Pdlkiepd.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Ceegmj32.exe Cbgjqo32.exe File opened for modification C:\Windows\SysWOW64\Miooigfo.exe Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Lfbpag32.exe Lccdel32.exe File created C:\Windows\SysWOW64\Lapefgai.dll Pjbjhgde.exe File created C:\Windows\SysWOW64\Pcefke32.dll Lkppbl32.exe File opened for modification C:\Windows\SysWOW64\Mpdnkb32.exe Mijfnh32.exe File created C:\Windows\SysWOW64\Gokfbfnk.dll Noqamn32.exe File created C:\Windows\SysWOW64\Ilpedi32.dll Blgpef32.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Dookgcij.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Mijfnh32.exe Mpbaebdd.exe File created C:\Windows\SysWOW64\Lidengnp.dll Alnqqd32.exe File opened for modification C:\Windows\SysWOW64\Ikddbj32.exe Inqcif32.exe File created C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Abjebn32.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Olfeho32.dll Eqpgol32.exe File created C:\Windows\SysWOW64\Oincig32.dll Mdpjlajk.exe File created C:\Windows\SysWOW64\Kbfhbeek.exe Kmjojo32.exe File created C:\Windows\SysWOW64\Inqcif32.exe Iajcde32.exe File created C:\Windows\SysWOW64\Mhbped32.exe Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Pflomnkb.exe Ppbfpd32.exe File created C:\Windows\SysWOW64\Obilnl32.dll Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Lmebnb32.exe Lghjel32.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Onecbg32.exe File created C:\Windows\SysWOW64\Odpegjpg.dll Gogangdc.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Aaobdjof.exe Albjlcao.exe File created C:\Windows\SysWOW64\Gkcfcoqm.dll Llohjo32.exe File created C:\Windows\SysWOW64\Hgpmbc32.dll Cdoajb32.exe File created C:\Windows\SysWOW64\Ipjchc32.dll Fdapak32.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Mdpjlajk.exe File opened for modification C:\Windows\SysWOW64\Ckccgane.exe Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Fbmcbbki.exe Fpngfgle.exe File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe Mofglh32.exe File opened for modification C:\Windows\SysWOW64\Lpdbloof.exe Lhmjkaoc.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Adpkee32.exe Aaaoij32.exe File created C:\Windows\SysWOW64\Lgmcqkkh.exe Labkdack.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Bfkpqn32.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hnojdcfi.exe File opened for modification C:\Windows\SysWOW64\Cdbdjhmp.exe Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Pdlkiepd.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Mbbcbk32.dll Hpefdl32.exe File created C:\Windows\SysWOW64\Nekbmgcn.exe Npojdpef.exe File opened for modification C:\Windows\SysWOW64\Onecbg32.exe Odlojanh.exe File created C:\Windows\SysWOW64\Qjnmlk32.exe Qiladcdh.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Lkppbl32.exe Lecgje32.exe File created C:\Windows\SysWOW64\Dkmcgmjk.dll Ogblbo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4452 4428 WerFault.exe 359 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odlojanh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngemkm32.dll" Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" Migbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll" Aaaoij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedolome.dll" Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jddnncch.dll" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdoajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlekia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhqkpcf.dll" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Bfkpqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkghm32.dll" Iapebchh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emieil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ganpomec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cinfhigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fncdgcqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gepehphc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Limfed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lghjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mofglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obafnlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hanlnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpfaocal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpbefoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedeic32.dll" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfqpega.dll" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcakaipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkaglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 1072 3008 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe 28 PID 3008 wrote to memory of 1072 3008 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe 28 PID 3008 wrote to memory of 1072 3008 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe 28 PID 3008 wrote to memory of 1072 3008 2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe 28 PID 1072 wrote to memory of 2988 1072 Ckffgg32.exe 29 PID 1072 wrote to memory of 2988 1072 Ckffgg32.exe 29 PID 1072 wrote to memory of 2988 1072 Ckffgg32.exe 29 PID 1072 wrote to memory of 2988 1072 Ckffgg32.exe 29 PID 2988 wrote to memory of 2644 2988 Dngoibmo.exe 30 PID 2988 wrote to memory of 2644 2988 Dngoibmo.exe 30 PID 2988 wrote to memory of 2644 2988 Dngoibmo.exe 30 PID 2988 wrote to memory of 2644 2988 Dngoibmo.exe 30 PID 2644 wrote to memory of 2432 2644 Ddcdkl32.exe 31 PID 2644 wrote to memory of 2432 2644 Ddcdkl32.exe 31 PID 2644 wrote to memory of 2432 2644 Ddcdkl32.exe 31 PID 2644 wrote to memory of 2432 2644 Ddcdkl32.exe 31 PID 2432 wrote to memory of 2448 2432 Dchali32.exe 32 PID 2432 wrote to memory of 2448 2432 Dchali32.exe 32 PID 2432 wrote to memory of 2448 2432 Dchali32.exe 32 PID 2432 wrote to memory of 2448 2432 Dchali32.exe 32 PID 2448 wrote to memory of 2420 2448 Djefobmk.exe 33 PID 2448 wrote to memory of 2420 2448 Djefobmk.exe 33 PID 2448 wrote to memory of 2420 2448 Djefobmk.exe 33 PID 2448 wrote to memory of 2420 2448 Djefobmk.exe 33 PID 2420 wrote to memory of 2700 2420 Epdkli32.exe 34 PID 2420 wrote to memory of 2700 2420 Epdkli32.exe 34 PID 2420 wrote to memory of 2700 2420 Epdkli32.exe 34 PID 2420 wrote to memory of 2700 2420 Epdkli32.exe 34 PID 2700 wrote to memory of 2948 2700 Epfhbign.exe 35 PID 2700 wrote to memory of 2948 2700 Epfhbign.exe 35 PID 2700 wrote to memory of 2948 2700 Epfhbign.exe 35 PID 2700 wrote to memory of 2948 2700 Epfhbign.exe 35 PID 2948 wrote to memory of 2952 2948 Eiomkn32.exe 36 PID 2948 wrote to memory of 2952 2948 Eiomkn32.exe 36 PID 2948 wrote to memory of 2952 2948 Eiomkn32.exe 36 PID 2948 wrote to memory of 2952 2948 Eiomkn32.exe 36 PID 2952 wrote to memory of 1696 2952 Fjdbnf32.exe 37 PID 2952 wrote to memory of 1696 2952 Fjdbnf32.exe 37 PID 2952 wrote to memory of 1696 2952 Fjdbnf32.exe 37 PID 2952 wrote to memory of 1696 2952 Fjdbnf32.exe 37 PID 1696 wrote to memory of 2712 1696 Fcmgfkeg.exe 38 PID 1696 wrote to memory of 2712 1696 Fcmgfkeg.exe 38 PID 1696 wrote to memory of 2712 1696 Fcmgfkeg.exe 38 PID 1696 wrote to memory of 2712 1696 Fcmgfkeg.exe 38 PID 2712 wrote to memory of 1252 2712 Fdapak32.exe 39 PID 2712 wrote to memory of 1252 2712 Fdapak32.exe 39 PID 2712 wrote to memory of 1252 2712 Fdapak32.exe 39 PID 2712 wrote to memory of 1252 2712 Fdapak32.exe 39 PID 1252 wrote to memory of 672 1252 Ffbicfoc.exe 40 PID 1252 wrote to memory of 672 1252 Ffbicfoc.exe 40 PID 1252 wrote to memory of 672 1252 Ffbicfoc.exe 40 PID 1252 wrote to memory of 672 1252 Ffbicfoc.exe 40 PID 672 wrote to memory of 776 672 Ghfbqn32.exe 41 PID 672 wrote to memory of 776 672 Ghfbqn32.exe 41 PID 672 wrote to memory of 776 672 Ghfbqn32.exe 41 PID 672 wrote to memory of 776 672 Ghfbqn32.exe 41 PID 776 wrote to memory of 2868 776 Gbkgnfbd.exe 42 PID 776 wrote to memory of 2868 776 Gbkgnfbd.exe 42 PID 776 wrote to memory of 2868 776 Gbkgnfbd.exe 42 PID 776 wrote to memory of 2868 776 Gbkgnfbd.exe 42 PID 2868 wrote to memory of 648 2868 Gacpdbej.exe 43 PID 2868 wrote to memory of 648 2868 Gacpdbej.exe 43 PID 2868 wrote to memory of 648 2868 Gacpdbej.exe 43 PID 2868 wrote to memory of 648 2868 Gacpdbej.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:648 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe35⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe36⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe37⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe38⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe40⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe41⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe42⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe44⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe45⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe47⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe48⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe49⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe51⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe57⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe61⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe62⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe64⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe66⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe67⤵PID:2404
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe68⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe69⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe70⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe71⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe73⤵PID:1748
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe74⤵PID:1676
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe75⤵PID:2516
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe77⤵PID:876
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe80⤵
- Drops file in System32 directory
PID:496 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe81⤵PID:1300
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe82⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe84⤵PID:1788
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe85⤵
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe86⤵PID:2068
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe88⤵PID:2268
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe89⤵PID:872
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe90⤵PID:2156
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe91⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe92⤵PID:2768
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe93⤵PID:1508
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe94⤵PID:2792
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe97⤵PID:2112
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe98⤵PID:2864
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe99⤵PID:1108
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe100⤵
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1356 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe102⤵PID:808
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe103⤵PID:2776
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe104⤵PID:2900
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe105⤵PID:2176
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe106⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe107⤵PID:2452
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe108⤵PID:2488
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe109⤵PID:800
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe110⤵
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe111⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe112⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe113⤵PID:1952
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe114⤵PID:892
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe115⤵PID:1652
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe116⤵PID:320
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe117⤵PID:1684
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe119⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe120⤵PID:2548
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe121⤵
- Drops file in System32 directory
PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-