Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 05:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe
-
Size
96KB
-
MD5
ba2f4a37a8085bdbdb3359dad8926030
-
SHA1
7483e41585ed12e380da0ec2e10e85770e76af5e
-
SHA256
88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53
-
SHA512
614500375aac5abd43670cbad3a232250a264c4978c702c4cca441a4b5c494faf69bcd6cea044b014abd75cc221f922edd63ab6ac68bbce2e8f9d571c0865275
-
SSDEEP
1536:61cpVnY4oQgaKWLorH5Z9hH92Lk1vPXuhiTMuZXGTIVefVDkryyAyqX:62p1iGob5Z9hHOavPXuhuXGQmVDeCyqX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcqpmep.exe -
Executes dropped EXE 64 IoCs
pid Process 1192 Mpjoqhah.exe 2112 Mkobnqan.exe 2688 Nplkfgoe.exe 2684 Ngfcca32.exe 2968 Njdpomfe.exe 2440 Npnhlg32.exe 2972 Nfkpdn32.exe 2744 Nnbhek32.exe 2824 Nocemcbj.exe 880 Ngkmnacm.exe 1432 Nhlifi32.exe 2396 Nofabc32.exe 2432 Ncancbha.exe 1332 Njkfpl32.exe 2084 Nmjblg32.exe 2216 Nccjhafn.exe 336 Ohqbqhde.exe 588 Okoomd32.exe 1900 Oojknblb.exe 632 Onmkio32.exe 2388 Obigjnkf.exe 1308 Oomhcbjp.exe 2356 Odjpkihg.exe 1672 Oghlgdgk.exe 1520 Oqqapjnk.exe 1032 Ocomlemo.exe 2836 Ondajnme.exe 3048 Oqcnfjli.exe 2656 Oenifh32.exe 2452 Ongnonkb.exe 2640 Pphjgfqq.exe 2668 Pgobhcac.exe 2568 Paggai32.exe 1848 Ppjglfon.exe 2804 Pbiciana.exe 2000 Pmnhfjmg.exe 272 Plahag32.exe 556 Pbkpna32.exe 2736 Pfflopdh.exe 860 Piehkkcl.exe 1704 Phjelg32.exe 2256 Plfamfpm.exe 2544 Ppamme32.exe 1488 Pndniaop.exe 2020 Qjknnbed.exe 2196 Qnfjna32.exe 1544 Qbbfopeg.exe 2148 Qaefjm32.exe 1796 Qdccfh32.exe 2232 Qjmkcbcb.exe 2636 Qnigda32.exe 1788 Qagcpljo.exe 2672 Qecoqk32.exe 2852 Ahakmf32.exe 2608 Ajphib32.exe 2488 Ankdiqih.exe 2520 Aajpelhl.exe 2092 Adhlaggp.exe 2932 Ahchbf32.exe 1008 Affhncfc.exe 1996 Ampqjm32.exe 2516 Aalmklfi.exe 1324 Adjigg32.exe 2052 Afiecb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe 1688 88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe 1192 Mpjoqhah.exe 1192 Mpjoqhah.exe 2112 Mkobnqan.exe 2112 Mkobnqan.exe 2688 Nplkfgoe.exe 2688 Nplkfgoe.exe 2684 Ngfcca32.exe 2684 Ngfcca32.exe 2968 Njdpomfe.exe 2968 Njdpomfe.exe 2440 Npnhlg32.exe 2440 Npnhlg32.exe 2972 Nfkpdn32.exe 2972 Nfkpdn32.exe 2744 Nnbhek32.exe 2744 Nnbhek32.exe 2824 Nocemcbj.exe 2824 Nocemcbj.exe 880 Ngkmnacm.exe 880 Ngkmnacm.exe 1432 Nhlifi32.exe 1432 Nhlifi32.exe 2396 Nofabc32.exe 2396 Nofabc32.exe 2432 Ncancbha.exe 2432 Ncancbha.exe 1332 Njkfpl32.exe 1332 Njkfpl32.exe 2084 Nmjblg32.exe 2084 Nmjblg32.exe 2216 Nccjhafn.exe 2216 Nccjhafn.exe 336 Ohqbqhde.exe 336 Ohqbqhde.exe 588 Okoomd32.exe 588 Okoomd32.exe 1900 Oojknblb.exe 1900 Oojknblb.exe 632 Onmkio32.exe 632 Onmkio32.exe 2388 Obigjnkf.exe 2388 Obigjnkf.exe 1308 Oomhcbjp.exe 1308 Oomhcbjp.exe 2356 Odjpkihg.exe 2356 Odjpkihg.exe 1672 Oghlgdgk.exe 1672 Oghlgdgk.exe 1520 Oqqapjnk.exe 1520 Oqqapjnk.exe 1032 Ocomlemo.exe 1032 Ocomlemo.exe 2836 Ondajnme.exe 2836 Ondajnme.exe 3048 Oqcnfjli.exe 3048 Oqcnfjli.exe 2656 Oenifh32.exe 2656 Oenifh32.exe 2452 Ongnonkb.exe 2452 Ongnonkb.exe 2640 Pphjgfqq.exe 2640 Pphjgfqq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbnkge32.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Pndaof32.dll Ppamme32.exe File created C:\Windows\SysWOW64\Aljgfioc.exe Ahokfj32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Ikeogmlj.dll Bdjefj32.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Ekholjqg.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Nnbhek32.exe Nfkpdn32.exe File created C:\Windows\SysWOW64\Oiahfd32.dll Ahokfj32.exe File created C:\Windows\SysWOW64\Bhcdaibd.exe Baildokg.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Ccdlbf32.exe Cdakgibq.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cjndop32.exe File created C:\Windows\SysWOW64\Gegfdb32.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Ooghhh32.dll Gdopkn32.exe File created C:\Windows\SysWOW64\Nocemcbj.exe Nnbhek32.exe File created C:\Windows\SysWOW64\Ocomlemo.exe Oqqapjnk.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Cjlgiqbk.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Lkojpojq.dll Ebbgid32.exe File created C:\Windows\SysWOW64\Ennaieib.exe Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Piddlm32.dll Oomhcbjp.exe File created C:\Windows\SysWOW64\Ongnonkb.exe Oenifh32.exe File opened for modification C:\Windows\SysWOW64\Djbiicon.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Hcplhi32.exe Hpapln32.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Eakjok32.dll Nmjblg32.exe File opened for modification C:\Windows\SysWOW64\Afkbib32.exe Abpfhcje.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Boiccdnf.exe File created C:\Windows\SysWOW64\Fnbkddem.exe Ffkcbgek.exe File opened for modification C:\Windows\SysWOW64\Fdapak32.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Gknfklng.dll Hggomh32.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Qnigda32.exe Qjmkcbcb.exe File opened for modification C:\Windows\SysWOW64\Adhlaggp.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Leajegob.dll Bopicc32.exe File created C:\Windows\SysWOW64\Ebinic32.exe Ennaieib.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gaqcoc32.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Bkodhe32.exe Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Pafagk32.dll Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Kedlancd.dll Ohqbqhde.exe File created C:\Windows\SysWOW64\Mbjlmdgj.dll Obigjnkf.exe File created C:\Windows\SysWOW64\Cgcmfjnn.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ggpimica.exe File created C:\Windows\SysWOW64\Jfcfmmpb.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Ncancbha.exe Nofabc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3132 3100 WerFault.exe 280 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Oojknblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakeiib.dll" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Onmkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okoomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahakmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djefobmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efncicpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjcng32.dll" Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqipbka.dll" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnpmipql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbmjplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocemcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjijdadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bhhnli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalmklfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dbpodagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfijnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll" Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplhpb32.dll" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Gmgdddmq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1192 1688 88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1192 1688 88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1192 1688 88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1192 1688 88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe 28 PID 1192 wrote to memory of 2112 1192 Mpjoqhah.exe 29 PID 1192 wrote to memory of 2112 1192 Mpjoqhah.exe 29 PID 1192 wrote to memory of 2112 1192 Mpjoqhah.exe 29 PID 1192 wrote to memory of 2112 1192 Mpjoqhah.exe 29 PID 2112 wrote to memory of 2688 2112 Mkobnqan.exe 30 PID 2112 wrote to memory of 2688 2112 Mkobnqan.exe 30 PID 2112 wrote to memory of 2688 2112 Mkobnqan.exe 30 PID 2112 wrote to memory of 2688 2112 Mkobnqan.exe 30 PID 2688 wrote to memory of 2684 2688 Nplkfgoe.exe 31 PID 2688 wrote to memory of 2684 2688 Nplkfgoe.exe 31 PID 2688 wrote to memory of 2684 2688 Nplkfgoe.exe 31 PID 2688 wrote to memory of 2684 2688 Nplkfgoe.exe 31 PID 2684 wrote to memory of 2968 2684 Ngfcca32.exe 32 PID 2684 wrote to memory of 2968 2684 Ngfcca32.exe 32 PID 2684 wrote to memory of 2968 2684 Ngfcca32.exe 32 PID 2684 wrote to memory of 2968 2684 Ngfcca32.exe 32 PID 2968 wrote to memory of 2440 2968 Njdpomfe.exe 33 PID 2968 wrote to memory of 2440 2968 Njdpomfe.exe 33 PID 2968 wrote to memory of 2440 2968 Njdpomfe.exe 33 PID 2968 wrote to memory of 2440 2968 Njdpomfe.exe 33 PID 2440 wrote to memory of 2972 2440 Npnhlg32.exe 34 PID 2440 wrote to memory of 2972 2440 Npnhlg32.exe 34 PID 2440 wrote to memory of 2972 2440 Npnhlg32.exe 34 PID 2440 wrote to memory of 2972 2440 Npnhlg32.exe 34 PID 2972 wrote to memory of 2744 2972 Nfkpdn32.exe 35 PID 2972 wrote to memory of 2744 2972 Nfkpdn32.exe 35 PID 2972 wrote to memory of 2744 2972 Nfkpdn32.exe 35 PID 2972 wrote to memory of 2744 2972 Nfkpdn32.exe 35 PID 2744 wrote to memory of 2824 2744 Nnbhek32.exe 36 PID 2744 wrote to memory of 2824 2744 Nnbhek32.exe 36 PID 2744 wrote to memory of 2824 2744 Nnbhek32.exe 36 PID 2744 wrote to memory of 2824 2744 Nnbhek32.exe 36 PID 2824 wrote to memory of 880 2824 Nocemcbj.exe 37 PID 2824 wrote to memory of 880 2824 Nocemcbj.exe 37 PID 2824 wrote to memory of 880 2824 Nocemcbj.exe 37 PID 2824 wrote to memory of 880 2824 Nocemcbj.exe 37 PID 880 wrote to memory of 1432 880 Ngkmnacm.exe 38 PID 880 wrote to memory of 1432 880 Ngkmnacm.exe 38 PID 880 wrote to memory of 1432 880 Ngkmnacm.exe 38 PID 880 wrote to memory of 1432 880 Ngkmnacm.exe 38 PID 1432 wrote to memory of 2396 1432 Nhlifi32.exe 39 PID 1432 wrote to memory of 2396 1432 Nhlifi32.exe 39 PID 1432 wrote to memory of 2396 1432 Nhlifi32.exe 39 PID 1432 wrote to memory of 2396 1432 Nhlifi32.exe 39 PID 2396 wrote to memory of 2432 2396 Nofabc32.exe 40 PID 2396 wrote to memory of 2432 2396 Nofabc32.exe 40 PID 2396 wrote to memory of 2432 2396 Nofabc32.exe 40 PID 2396 wrote to memory of 2432 2396 Nofabc32.exe 40 PID 2432 wrote to memory of 1332 2432 Ncancbha.exe 41 PID 2432 wrote to memory of 1332 2432 Ncancbha.exe 41 PID 2432 wrote to memory of 1332 2432 Ncancbha.exe 41 PID 2432 wrote to memory of 1332 2432 Ncancbha.exe 41 PID 1332 wrote to memory of 2084 1332 Njkfpl32.exe 42 PID 1332 wrote to memory of 2084 1332 Njkfpl32.exe 42 PID 1332 wrote to memory of 2084 1332 Njkfpl32.exe 42 PID 1332 wrote to memory of 2084 1332 Njkfpl32.exe 42 PID 2084 wrote to memory of 2216 2084 Nmjblg32.exe 43 PID 2084 wrote to memory of 2216 2084 Nmjblg32.exe 43 PID 2084 wrote to memory of 2216 2084 Nmjblg32.exe 43 PID 2084 wrote to memory of 2216 2084 Nmjblg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\88a164a77162f926d11fdad26ab525f7e5290e11155c63b6bf997f721592fb53_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe35⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe36⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe39⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe40⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe41⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe43⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe47⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe49⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe50⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe52⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe56⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe57⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe59⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe62⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe64⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe65⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe66⤵PID:2860
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe67⤵PID:1516
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe68⤵PID:284
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe69⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe71⤵PID:1136
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe72⤵PID:2956
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe73⤵PID:2332
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe74⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe75⤵PID:1992
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe76⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe77⤵PID:800
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe78⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe79⤵PID:1700
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe81⤵PID:1340
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe84⤵PID:2072
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe85⤵PID:1288
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe87⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe88⤵PID:1604
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe89⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe91⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe92⤵PID:2944
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe94⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe95⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe96⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe97⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe98⤵PID:1096
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe99⤵
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe102⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe103⤵PID:3000
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe105⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe106⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe108⤵PID:2916
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe109⤵PID:2700
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe111⤵PID:2068
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe112⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe113⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe114⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe115⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe117⤵PID:2576
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe118⤵PID:2104
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe121⤵PID:2328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-