Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe
-
Size
96KB
-
MD5
0784052be080f54df42128ffe813bb60
-
SHA1
549d4352bc41af02a1de0f8708c56f75a7e250a5
-
SHA256
553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483
-
SHA512
e714796ceb2349b6f53dcbfa0bf668f50ef4884b4d03401f8380fd9a579366c3be2406f8a699f2b725c1293c78bcdb59fa78ac89bde7fbd346e0fff7c2bbe47a
-
SSDEEP
1536:O1OBp7eCeB1EIOu50mGeW+nIeikIgRQ+cR5R45WtqV9R2R462izMg3R7ih9:OEKBv/8Kte+cHrtG9MW3+3l29
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpeofk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdocc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgcgmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjndop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chemfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnnojlpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdpomfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Lipjejgp.exe 2676 Lgdjnofi.exe 2584 Llqcfe32.exe 2744 Mcjkcplm.exe 2712 Mhgclfje.exe 2896 Moalhq32.exe 756 Migpeiag.exe 1368 Mkhmma32.exe 2748 Menakj32.exe 1260 Mlgigdoh.exe 2376 Mnieom32.exe 760 Mdcnlglc.exe 1428 Mohbip32.exe 2912 Magnek32.exe 2488 Mgcgmb32.exe 532 Nnnojlpa.exe 1052 Ncjgbcoi.exe 2552 Ngfcca32.exe 2420 Njdpomfe.exe 1516 Nlblkhei.exe 2100 Ncmdhb32.exe 2816 Nghphaeo.exe 808 Ncoamb32.exe 1760 Njiijlbp.exe 2840 Nofabc32.exe 2356 Ncancbha.exe 2988 Nohnhc32.exe 3028 Ofbfdmeb.exe 2796 Ohqbqhde.exe 2484 Okoomd32.exe 2760 Odgcfijj.exe 2528 Oomhcbjp.exe 2516 Oqndkj32.exe 1580 Okchhc32.exe 2520 Oqqapjnk.exe 860 Ocomlemo.exe 1836 Ondajnme.exe 1864 Oqcnfjli.exe 1868 Ojkboo32.exe 1412 Ongnonkb.exe 1692 Pjmodopf.exe 1196 Ppjglfon.exe 2284 Pbiciana.exe 804 Piblek32.exe 2416 Pbkpna32.exe 1596 Peiljl32.exe 3008 Piehkkcl.exe 868 Ppoqge32.exe 340 Pbmmcq32.exe 2804 Pelipl32.exe 2360 Ppamme32.exe 1500 Pndniaop.exe 2688 Pabjem32.exe 2672 Pijbfj32.exe 2636 Qhmbagfa.exe 2444 Qnfjna32.exe 2892 Qbbfopeg.exe 2512 Qdccfh32.exe 1852 Qljkhe32.exe 1856 Qmlgonbe.exe 2248 Qagcpljo.exe 2132 Adeplhib.exe 2548 Afdlhchf.exe 2200 Amndem32.exe -
Loads dropped DLL 64 IoCs
pid Process 1632 553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe 1632 553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe 2632 Lipjejgp.exe 2632 Lipjejgp.exe 2676 Lgdjnofi.exe 2676 Lgdjnofi.exe 2584 Llqcfe32.exe 2584 Llqcfe32.exe 2744 Mcjkcplm.exe 2744 Mcjkcplm.exe 2712 Mhgclfje.exe 2712 Mhgclfje.exe 2896 Moalhq32.exe 2896 Moalhq32.exe 756 Migpeiag.exe 756 Migpeiag.exe 1368 Mkhmma32.exe 1368 Mkhmma32.exe 2748 Menakj32.exe 2748 Menakj32.exe 1260 Mlgigdoh.exe 1260 Mlgigdoh.exe 2376 Mnieom32.exe 2376 Mnieom32.exe 760 Mdcnlglc.exe 760 Mdcnlglc.exe 1428 Mohbip32.exe 1428 Mohbip32.exe 2912 Magnek32.exe 2912 Magnek32.exe 2488 Mgcgmb32.exe 2488 Mgcgmb32.exe 532 Nnnojlpa.exe 532 Nnnojlpa.exe 1052 Ncjgbcoi.exe 1052 Ncjgbcoi.exe 2552 Ngfcca32.exe 2552 Ngfcca32.exe 2420 Njdpomfe.exe 2420 Njdpomfe.exe 1516 Nlblkhei.exe 1516 Nlblkhei.exe 2100 Ncmdhb32.exe 2100 Ncmdhb32.exe 2816 Nghphaeo.exe 2816 Nghphaeo.exe 808 Ncoamb32.exe 808 Ncoamb32.exe 1760 Njiijlbp.exe 1760 Njiijlbp.exe 2840 Nofabc32.exe 2840 Nofabc32.exe 2356 Ncancbha.exe 2356 Ncancbha.exe 2988 Nohnhc32.exe 2988 Nohnhc32.exe 3028 Ofbfdmeb.exe 3028 Ofbfdmeb.exe 2796 Ohqbqhde.exe 2796 Ohqbqhde.exe 2484 Okoomd32.exe 2484 Okoomd32.exe 2760 Odgcfijj.exe 2760 Odgcfijj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nghphaeo.exe Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Ppamme32.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Facklcaq.dll Faokjpfd.exe File created C:\Windows\SysWOW64\Pnnclg32.dll Gieojq32.exe File created C:\Windows\SysWOW64\Henidd32.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Icbimi32.exe File created C:\Windows\SysWOW64\Amndem32.exe Afdlhchf.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Dnneja32.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Chcphm32.dll Emhlfmgj.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Alenki32.exe Ambmpmln.exe File created C:\Windows\SysWOW64\Bdhhqk32.exe Baildokg.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Emeopn32.exe File created C:\Windows\SysWOW64\Jkoginch.dll Fhhcgj32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Lkojpojq.dll Ecpgmhai.exe File created C:\Windows\SysWOW64\Eiomkn32.exe Eecqjpee.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eeempocb.exe File created C:\Windows\SysWOW64\Pdamlbjc.dll Qmlgonbe.exe File created C:\Windows\SysWOW64\Cpeofk32.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dkhcmgnl.exe File created C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Pnbgan32.dll Hhmepp32.exe File created C:\Windows\SysWOW64\Gfhpoo32.dll Nghphaeo.exe File created C:\Windows\SysWOW64\Nofabc32.exe Njiijlbp.exe File created C:\Windows\SysWOW64\Mpmchlpl.dll Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Ahchbf32.exe Aplpai32.exe File created C:\Windows\SysWOW64\Andkhh32.dll Ajdadamj.exe File opened for modification C:\Windows\SysWOW64\Cgbdhd32.exe Coklgg32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Ohqbqhde.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Cmmhnnlm.dll Oqcnfjli.exe File created C:\Windows\SysWOW64\Medfkpfc.dll Ongnonkb.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qljkhe32.exe File created C:\Windows\SysWOW64\Dkkpbgli.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fhkpmjln.exe File created C:\Windows\SysWOW64\Hllopfgo.dll Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File opened for modification C:\Windows\SysWOW64\Lgdjnofi.exe Lipjejgp.exe File created C:\Windows\SysWOW64\Bnebmi32.dll Njiijlbp.exe File opened for modification C:\Windows\SysWOW64\Ondajnme.exe Ocomlemo.exe File created C:\Windows\SysWOW64\Bdlblj32.exe Bnbjopoi.exe File created C:\Windows\SysWOW64\Njqaac32.dll Eflgccbp.exe File created C:\Windows\SysWOW64\Dchfknpg.dll Fhffaj32.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Mohbip32.exe Mdcnlglc.exe File opened for modification C:\Windows\SysWOW64\Nofabc32.exe Njiijlbp.exe File created C:\Windows\SysWOW64\Bokphdld.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Bpcbqk32.exe Baqbenep.exe File created C:\Windows\SysWOW64\Eilpeooq.exe Efncicpm.exe File created C:\Windows\SysWOW64\Jiiegafd.dll Ebinic32.exe File created C:\Windows\SysWOW64\Gkkgcp32.dll Bdlblj32.exe File opened for modification C:\Windows\SysWOW64\Fdapak32.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gelppaof.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hgilchkf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3340 3328 WerFault.exe 268 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddeaalpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgbdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmoipopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhidee.dll" Nlblkhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbkoipg.dll" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlgigdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbkpna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecpgmhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkhmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajdadamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haobqm32.dll" Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjmodopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Bnpmipql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fnpnndgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncjgbcoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Ddeaalpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2632 1632 553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2632 1632 553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2632 1632 553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2632 1632 553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe 28 PID 2632 wrote to memory of 2676 2632 Lipjejgp.exe 29 PID 2632 wrote to memory of 2676 2632 Lipjejgp.exe 29 PID 2632 wrote to memory of 2676 2632 Lipjejgp.exe 29 PID 2632 wrote to memory of 2676 2632 Lipjejgp.exe 29 PID 2676 wrote to memory of 2584 2676 Lgdjnofi.exe 30 PID 2676 wrote to memory of 2584 2676 Lgdjnofi.exe 30 PID 2676 wrote to memory of 2584 2676 Lgdjnofi.exe 30 PID 2676 wrote to memory of 2584 2676 Lgdjnofi.exe 30 PID 2584 wrote to memory of 2744 2584 Llqcfe32.exe 31 PID 2584 wrote to memory of 2744 2584 Llqcfe32.exe 31 PID 2584 wrote to memory of 2744 2584 Llqcfe32.exe 31 PID 2584 wrote to memory of 2744 2584 Llqcfe32.exe 31 PID 2744 wrote to memory of 2712 2744 Mcjkcplm.exe 32 PID 2744 wrote to memory of 2712 2744 Mcjkcplm.exe 32 PID 2744 wrote to memory of 2712 2744 Mcjkcplm.exe 32 PID 2744 wrote to memory of 2712 2744 Mcjkcplm.exe 32 PID 2712 wrote to memory of 2896 2712 Mhgclfje.exe 33 PID 2712 wrote to memory of 2896 2712 Mhgclfje.exe 33 PID 2712 wrote to memory of 2896 2712 Mhgclfje.exe 33 PID 2712 wrote to memory of 2896 2712 Mhgclfje.exe 33 PID 2896 wrote to memory of 756 2896 Moalhq32.exe 34 PID 2896 wrote to memory of 756 2896 Moalhq32.exe 34 PID 2896 wrote to memory of 756 2896 Moalhq32.exe 34 PID 2896 wrote to memory of 756 2896 Moalhq32.exe 34 PID 756 wrote to memory of 1368 756 Migpeiag.exe 35 PID 756 wrote to memory of 1368 756 Migpeiag.exe 35 PID 756 wrote to memory of 1368 756 Migpeiag.exe 35 PID 756 wrote to memory of 1368 756 Migpeiag.exe 35 PID 1368 wrote to memory of 2748 1368 Mkhmma32.exe 36 PID 1368 wrote to memory of 2748 1368 Mkhmma32.exe 36 PID 1368 wrote to memory of 2748 1368 Mkhmma32.exe 36 PID 1368 wrote to memory of 2748 1368 Mkhmma32.exe 36 PID 2748 wrote to memory of 1260 2748 Menakj32.exe 37 PID 2748 wrote to memory of 1260 2748 Menakj32.exe 37 PID 2748 wrote to memory of 1260 2748 Menakj32.exe 37 PID 2748 wrote to memory of 1260 2748 Menakj32.exe 37 PID 1260 wrote to memory of 2376 1260 Mlgigdoh.exe 38 PID 1260 wrote to memory of 2376 1260 Mlgigdoh.exe 38 PID 1260 wrote to memory of 2376 1260 Mlgigdoh.exe 38 PID 1260 wrote to memory of 2376 1260 Mlgigdoh.exe 38 PID 2376 wrote to memory of 760 2376 Mnieom32.exe 39 PID 2376 wrote to memory of 760 2376 Mnieom32.exe 39 PID 2376 wrote to memory of 760 2376 Mnieom32.exe 39 PID 2376 wrote to memory of 760 2376 Mnieom32.exe 39 PID 760 wrote to memory of 1428 760 Mdcnlglc.exe 40 PID 760 wrote to memory of 1428 760 Mdcnlglc.exe 40 PID 760 wrote to memory of 1428 760 Mdcnlglc.exe 40 PID 760 wrote to memory of 1428 760 Mdcnlglc.exe 40 PID 1428 wrote to memory of 2912 1428 Mohbip32.exe 41 PID 1428 wrote to memory of 2912 1428 Mohbip32.exe 41 PID 1428 wrote to memory of 2912 1428 Mohbip32.exe 41 PID 1428 wrote to memory of 2912 1428 Mohbip32.exe 41 PID 2912 wrote to memory of 2488 2912 Magnek32.exe 42 PID 2912 wrote to memory of 2488 2912 Magnek32.exe 42 PID 2912 wrote to memory of 2488 2912 Magnek32.exe 42 PID 2912 wrote to memory of 2488 2912 Magnek32.exe 42 PID 2488 wrote to memory of 532 2488 Mgcgmb32.exe 43 PID 2488 wrote to memory of 532 2488 Mgcgmb32.exe 43 PID 2488 wrote to memory of 532 2488 Mgcgmb32.exe 43 PID 2488 wrote to memory of 532 2488 Mgcgmb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\553b56cc3849f9275a3baebd45b1e3c79499beaf97fc31a6275c6cf189047483_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe33⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe34⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe35⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe36⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe38⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe45⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe47⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe48⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe51⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe58⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe59⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe62⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe63⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe66⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe67⤵PID:1724
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe68⤵PID:2764
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe70⤵PID:924
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe71⤵PID:896
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe73⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe74⤵PID:2700
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe75⤵PID:2564
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe76⤵PID:2508
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe77⤵PID:1528
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1132 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe80⤵PID:2932
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe81⤵PID:1616
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe82⤵PID:2812
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe84⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe86⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe87⤵PID:1972
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe88⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe89⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe90⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe91⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe93⤵PID:1564
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe94⤵PID:2868
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe95⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe97⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe98⤵PID:480
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe100⤵
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe101⤵PID:2860
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe102⤵PID:1948
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe104⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1184 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe107⤵PID:1488
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe109⤵PID:2108
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe110⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe111⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe112⤵PID:2916
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe113⤵PID:2072
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe115⤵PID:888
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe116⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe118⤵PID:2500
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe119⤵PID:1548
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe120⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe121⤵
- Modifies registry class
PID:2208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-