Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
23/06/2024, 22:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe
-
Size
192KB
-
MD5
233c9f35c85132f82ba56c8577fa0cb0
-
SHA1
90e48bdf0c7ed9c2f3aa3ade39f60d190066a6fa
-
SHA256
19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac
-
SHA512
5b710b547fd2a23fa5e89eec450192e987b716e8ca4c80d11de32657ed92b05aa4fba758ea55f918196fe4cfef2c77897edd483eb846235d0410f5da18340f50
-
SSDEEP
3072:kwXCA1r7463mCJXH9E5hSaxfebr4MKy3G7UEqMM6T9pui6yYPaI7DehizrVtNe8d:1fN3mCBH9E5hf2ondpui6yYPaIGckfrw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edpmjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpinc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmgninie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbnhng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdhbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maedhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgimmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceaadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Magqncba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkmhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iheddndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omloag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnechbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djklnnaj.exe -
Executes dropped EXE 64 IoCs
pid Process 2404 Ncjgbcoi.exe 2396 Nlblkhei.exe 2748 Njgldmdc.exe 2580 Nocemcbj.exe 2716 Njiijlbp.exe 2608 Nofabc32.exe 2220 Ncancbha.exe 2880 Nkmbgdfl.exe 1780 Ofbfdmeb.exe 552 Omloag32.exe 2040 Oojknblb.exe 1444 Oicpfh32.exe 1588 Oqndkj32.exe 2268 Okchhc32.exe 2276 Oelmai32.exe 676 Ojieip32.exe 1112 Oenifh32.exe 2012 Ogmfbd32.exe 2324 Pminkk32.exe 1276 Pphjgfqq.exe 1536 Pjmodopf.exe 776 Pmlkpjpj.exe 1452 Paggai32.exe 2088 Pcfcmd32.exe 2112 Plahag32.exe 2824 Pchpbded.exe 2760 Peiljl32.exe 2552 Plcdgfbo.exe 2868 Pfiidobe.exe 2656 Phjelg32.exe 2588 Pndniaop.exe 3032 Pbpjiphi.exe 2872 Qjknnbed.exe 3028 Qbbfopeg.exe 1736 Qaefjm32.exe 1100 Qljkhe32.exe 2236 Qagcpljo.exe 1660 Adeplhib.exe 632 Ajphib32.exe 2948 Amndem32.exe 2136 Adhlaggp.exe 1916 Affhncfc.exe 1500 Ampqjm32.exe 556 Aalmklfi.exe 1028 Adjigg32.exe 792 Ajdadamj.exe 1644 Ambmpmln.exe 2968 Alenki32.exe 1032 Admemg32.exe 1864 Abpfhcje.exe 2372 Aiinen32.exe 2260 Alhjai32.exe 2660 Apcfahio.exe 2896 Abbbnchb.exe 2576 Aepojo32.exe 2532 Ahokfj32.exe 2720 Bpfcgg32.exe 1756 Bbdocc32.exe 1808 Bagpopmj.exe 1688 Bebkpn32.exe 2484 Bhahlj32.exe 1556 Bkodhe32.exe 2016 Bbflib32.exe 1440 Beehencq.exe -
Loads dropped DLL 64 IoCs
pid Process 2132 19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe 2132 19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe 2404 Ncjgbcoi.exe 2404 Ncjgbcoi.exe 2396 Nlblkhei.exe 2396 Nlblkhei.exe 2748 Njgldmdc.exe 2748 Njgldmdc.exe 2580 Nocemcbj.exe 2580 Nocemcbj.exe 2716 Njiijlbp.exe 2716 Njiijlbp.exe 2608 Nofabc32.exe 2608 Nofabc32.exe 2220 Ncancbha.exe 2220 Ncancbha.exe 2880 Nkmbgdfl.exe 2880 Nkmbgdfl.exe 1780 Ofbfdmeb.exe 1780 Ofbfdmeb.exe 552 Omloag32.exe 552 Omloag32.exe 2040 Oojknblb.exe 2040 Oojknblb.exe 1444 Oicpfh32.exe 1444 Oicpfh32.exe 1588 Oqndkj32.exe 1588 Oqndkj32.exe 2268 Okchhc32.exe 2268 Okchhc32.exe 2276 Oelmai32.exe 2276 Oelmai32.exe 676 Ojieip32.exe 676 Ojieip32.exe 1112 Oenifh32.exe 1112 Oenifh32.exe 2012 Ogmfbd32.exe 2012 Ogmfbd32.exe 2324 Pminkk32.exe 2324 Pminkk32.exe 1276 Pphjgfqq.exe 1276 Pphjgfqq.exe 1536 Pjmodopf.exe 1536 Pjmodopf.exe 776 Pmlkpjpj.exe 776 Pmlkpjpj.exe 1452 Paggai32.exe 1452 Paggai32.exe 2088 Pcfcmd32.exe 2088 Pcfcmd32.exe 2112 Plahag32.exe 2112 Plahag32.exe 2824 Pchpbded.exe 2824 Pchpbded.exe 2760 Peiljl32.exe 2760 Peiljl32.exe 2552 Plcdgfbo.exe 2552 Plcdgfbo.exe 2868 Pfiidobe.exe 2868 Pfiidobe.exe 2656 Phjelg32.exe 2656 Phjelg32.exe 2588 Pndniaop.exe 2588 Pndniaop.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Malllmgi.dll Knpemf32.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Nncahjgl.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Pfioffab.dll Ahgnke32.exe File created C:\Windows\SysWOW64\Lnlmhpjh.dll Mlfojn32.exe File created C:\Windows\SysWOW64\Lhajpc32.dll Maedhd32.exe File created C:\Windows\SysWOW64\Ojdngl32.dll Bkodhe32.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dngoibmo.exe File created C:\Windows\SysWOW64\Kklemhne.dll Jiondcpk.exe File created C:\Windows\SysWOW64\Hpgfki32.exe Ghqnjk32.exe File created C:\Windows\SysWOW64\Ocljjp32.dll Lldlqakb.exe File created C:\Windows\SysWOW64\Echfaf32.exe Eqijej32.exe File created C:\Windows\SysWOW64\Gjfdhbld.exe Gbomfe32.exe File created C:\Windows\SysWOW64\Omloag32.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dodonf32.exe File opened for modification C:\Windows\SysWOW64\Cklmgb32.exe Clilkfnb.exe File opened for modification C:\Windows\SysWOW64\Gjfdhbld.exe Gbomfe32.exe File opened for modification C:\Windows\SysWOW64\Maedhd32.exe Mofglh32.exe File created C:\Windows\SysWOW64\Fnbkddem.exe Ffkcbgek.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Ccngld32.exe File created C:\Windows\SysWOW64\Ecdjal32.dll Dogefd32.exe File created C:\Windows\SysWOW64\Bmdcpnkh.dll Fhqbkhch.exe File created C:\Windows\SysWOW64\Oojknblb.exe Omloag32.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Idmhkpml.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kjqccigf.exe File opened for modification C:\Windows\SysWOW64\Pjhknm32.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Qedhdjnh.exe Qbelgood.exe File created C:\Windows\SysWOW64\Mecbia32.dll Cdbdjhmp.exe File created C:\Windows\SysWOW64\Fhhiii32.dll Nenobfak.exe File created C:\Windows\SysWOW64\Legmbd32.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ggpimica.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Fndldonj.dll Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hejoiedd.exe File created C:\Windows\SysWOW64\Lldlqakb.exe Kmaled32.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Mbnipnaf.dll Hbfbgd32.exe File opened for modification C:\Windows\SysWOW64\Nondgn32.exe Nlphkb32.exe File created C:\Windows\SysWOW64\Cgejac32.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Ojchmpcd.dll Jcdbbloa.exe File created C:\Windows\SysWOW64\Ljefkdjq.dll Kpmlkp32.exe File created C:\Windows\SysWOW64\Onhgbmfb.exe Ooeggp32.exe File opened for modification C:\Windows\SysWOW64\Ghqnjk32.exe Ginnnooi.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Enihne32.exe File opened for modification C:\Windows\SysWOW64\Abjebn32.exe Anojbobe.exe File created C:\Windows\SysWOW64\Odifab32.dll Dbfabp32.exe File opened for modification C:\Windows\SysWOW64\Efaibbij.exe Edpmjj32.exe File created C:\Windows\SysWOW64\Ioaifhid.exe Ilcmjl32.exe File created C:\Windows\SysWOW64\Fdilgioe.dll Lcagpl32.exe File created C:\Windows\SysWOW64\Ckblig32.dll Chcqpmep.exe File created C:\Windows\SysWOW64\Epaogi32.exe Epaogi32.exe File created C:\Windows\SysWOW64\Fgaleqmc.dll Nefpnhlc.exe File created C:\Windows\SysWOW64\Opfdll32.dll Cjdfmo32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Opanhd32.dll Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Hciofb32.dll Hnagjbdf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6556 6468 WerFault.exe 699 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbjle32.dll" Ncancbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oojknblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doqplo32.dll" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcmlcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkophk32.dll" Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gheabp32.dll" Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Ihgainbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncancbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfeekif.dll" Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgkoe32.dll" Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnag32.dll" Hedocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkaiqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqelenlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabqfggi.dll" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahaloofd.dll" Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll" Bkfjhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnbefhd.dll" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnfen32.dll" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpeliikc.dll" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjp32.dll" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjolo32.dll" Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlkopcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Ajphib32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2404 2132 19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe 28 PID 2132 wrote to memory of 2404 2132 19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe 28 PID 2132 wrote to memory of 2404 2132 19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe 28 PID 2132 wrote to memory of 2404 2132 19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe 28 PID 2404 wrote to memory of 2396 2404 Ncjgbcoi.exe 29 PID 2404 wrote to memory of 2396 2404 Ncjgbcoi.exe 29 PID 2404 wrote to memory of 2396 2404 Ncjgbcoi.exe 29 PID 2404 wrote to memory of 2396 2404 Ncjgbcoi.exe 29 PID 2396 wrote to memory of 2748 2396 Nlblkhei.exe 30 PID 2396 wrote to memory of 2748 2396 Nlblkhei.exe 30 PID 2396 wrote to memory of 2748 2396 Nlblkhei.exe 30 PID 2396 wrote to memory of 2748 2396 Nlblkhei.exe 30 PID 2748 wrote to memory of 2580 2748 Njgldmdc.exe 31 PID 2748 wrote to memory of 2580 2748 Njgldmdc.exe 31 PID 2748 wrote to memory of 2580 2748 Njgldmdc.exe 31 PID 2748 wrote to memory of 2580 2748 Njgldmdc.exe 31 PID 2580 wrote to memory of 2716 2580 Nocemcbj.exe 32 PID 2580 wrote to memory of 2716 2580 Nocemcbj.exe 32 PID 2580 wrote to memory of 2716 2580 Nocemcbj.exe 32 PID 2580 wrote to memory of 2716 2580 Nocemcbj.exe 32 PID 2716 wrote to memory of 2608 2716 Njiijlbp.exe 33 PID 2716 wrote to memory of 2608 2716 Njiijlbp.exe 33 PID 2716 wrote to memory of 2608 2716 Njiijlbp.exe 33 PID 2716 wrote to memory of 2608 2716 Njiijlbp.exe 33 PID 2608 wrote to memory of 2220 2608 Nofabc32.exe 34 PID 2608 wrote to memory of 2220 2608 Nofabc32.exe 34 PID 2608 wrote to memory of 2220 2608 Nofabc32.exe 34 PID 2608 wrote to memory of 2220 2608 Nofabc32.exe 34 PID 2220 wrote to memory of 2880 2220 Ncancbha.exe 35 PID 2220 wrote to memory of 2880 2220 Ncancbha.exe 35 PID 2220 wrote to memory of 2880 2220 Ncancbha.exe 35 PID 2220 wrote to memory of 2880 2220 Ncancbha.exe 35 PID 2880 wrote to memory of 1780 2880 Nkmbgdfl.exe 36 PID 2880 wrote to memory of 1780 2880 Nkmbgdfl.exe 36 PID 2880 wrote to memory of 1780 2880 Nkmbgdfl.exe 36 PID 2880 wrote to memory of 1780 2880 Nkmbgdfl.exe 36 PID 1780 wrote to memory of 552 1780 Ofbfdmeb.exe 37 PID 1780 wrote to memory of 552 1780 Ofbfdmeb.exe 37 PID 1780 wrote to memory of 552 1780 Ofbfdmeb.exe 37 PID 1780 wrote to memory of 552 1780 Ofbfdmeb.exe 37 PID 552 wrote to memory of 2040 552 Omloag32.exe 38 PID 552 wrote to memory of 2040 552 Omloag32.exe 38 PID 552 wrote to memory of 2040 552 Omloag32.exe 38 PID 552 wrote to memory of 2040 552 Omloag32.exe 38 PID 2040 wrote to memory of 1444 2040 Oojknblb.exe 39 PID 2040 wrote to memory of 1444 2040 Oojknblb.exe 39 PID 2040 wrote to memory of 1444 2040 Oojknblb.exe 39 PID 2040 wrote to memory of 1444 2040 Oojknblb.exe 39 PID 1444 wrote to memory of 1588 1444 Oicpfh32.exe 40 PID 1444 wrote to memory of 1588 1444 Oicpfh32.exe 40 PID 1444 wrote to memory of 1588 1444 Oicpfh32.exe 40 PID 1444 wrote to memory of 1588 1444 Oicpfh32.exe 40 PID 1588 wrote to memory of 2268 1588 Oqndkj32.exe 41 PID 1588 wrote to memory of 2268 1588 Oqndkj32.exe 41 PID 1588 wrote to memory of 2268 1588 Oqndkj32.exe 41 PID 1588 wrote to memory of 2268 1588 Oqndkj32.exe 41 PID 2268 wrote to memory of 2276 2268 Okchhc32.exe 42 PID 2268 wrote to memory of 2276 2268 Okchhc32.exe 42 PID 2268 wrote to memory of 2276 2268 Okchhc32.exe 42 PID 2268 wrote to memory of 2276 2268 Okchhc32.exe 42 PID 2276 wrote to memory of 676 2276 Oelmai32.exe 43 PID 2276 wrote to memory of 676 2276 Oelmai32.exe 43 PID 2276 wrote to memory of 676 2276 Oelmai32.exe 43 PID 2276 wrote to memory of 676 2276 Oelmai32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\19055096dd07120156214655a0d28b8351310533b617a7bc63a772f8b3b449ac_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe33⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe34⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe35⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe36⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe37⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe38⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe39⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe41⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe42⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe44⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe45⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe46⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe47⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe48⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe49⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe50⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe51⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe52⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe53⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe56⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe57⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe58⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe59⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe60⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe61⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe64⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe65⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:972 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe67⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe68⤵PID:1600
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe69⤵PID:1152
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe70⤵PID:1580
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe71⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe72⤵PID:1868
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe73⤵PID:2400
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe74⤵PID:1932
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe75⤵PID:2812
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe76⤵PID:2740
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe77⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe79⤵PID:3024
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe81⤵PID:1292
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe82⤵PID:2264
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe83⤵PID:2072
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe84⤵PID:2224
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe86⤵PID:1812
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe87⤵
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe88⤵PID:1080
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe90⤵PID:1924
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe91⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe92⤵PID:2772
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe93⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe94⤵PID:3012
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe95⤵PID:2836
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe96⤵PID:1664
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe97⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe98⤵PID:2296
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe99⤵PID:1512
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe100⤵PID:584
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe101⤵PID:696
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe102⤵PID:1772
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe103⤵PID:816
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe104⤵PID:2348
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe105⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe106⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe108⤵PID:2708
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe109⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe110⤵PID:1624
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe112⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe113⤵PID:2524
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe114⤵PID:444
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe115⤵PID:2512
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe116⤵PID:2300
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe117⤵PID:2380
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe118⤵PID:1672
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe119⤵PID:2924
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe120⤵PID:1972
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-