Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 03:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe
-
Size
136KB
-
MD5
ab0b4a48ed24b7525e678d51321377f0
-
SHA1
55c45f74c63e9880a2e52207e0b220bcea0785dc
-
SHA256
560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0
-
SHA512
67f5b36aa7684530275c3eec52420c9802462377548051e02ec506f6ca4f5fac3e169e12fc926d26f27ae454347dcd491d12734164bd628cdc0887dffa425c1a
-
SSDEEP
1536:4MG97f84TDT2SARt9QcCJGem8uHwbQCT5wjz0cZ44mjD9r823FQ75/DtXh:4MGdfBAt9Qc0TuHbC9Ri/mjRrz3OT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioilkblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dohgomgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcbecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajecmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjllab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbqbaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgebdipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlgfaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gihniioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcgmoggn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejjbbkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmphhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfnneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekpheb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklejh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkljdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoohekal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnknoogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdejhfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmjnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeielfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhoice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfgafadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohidmoaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqmjnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhjlbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odeiibdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjfpafmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khkbbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppfog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmphhc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2672 Kofopj32.exe 2728 Kgcpjmcb.exe 2880 Kaldcb32.exe 2512 Kgemplap.exe 2508 Lanaiahq.exe 2124 Lnbbbffj.exe 736 Lcojjmea.exe 1128 Lpekon32.exe 2836 Lgmcqkkh.exe 2960 Laegiq32.exe 1692 Lbfdaigg.exe 1640 Lmlhnagm.exe 2452 Lcfqkl32.exe 856 Mpmapm32.exe 860 Mieeibkn.exe 3016 Moanaiie.exe 1892 Modkfi32.exe 2288 Mdacop32.exe 948 Mofglh32.exe 1688 Meppiblm.exe 360 Mkmhaj32.exe 1104 Ndemjoae.exe 300 Nibebfpl.exe 2908 Ndhipoob.exe 2696 Nkbalifo.exe 1464 Ngibaj32.exe 1972 Npagjpcd.exe 1184 Nhllob32.exe 2992 Nilhhdga.exe 2732 Oohqqlei.exe 2636 Odeiibdq.exe 2876 Oaiibg32.exe 1900 Onpjghhn.exe 2780 Oghopm32.exe 1496 Oqacic32.exe 2964 Okfgfl32.exe 2392 Ocalkn32.exe 800 Pqemdbaj.exe 2792 Pfbelipa.exe 1456 Pmlmic32.exe 1940 Pgbafl32.exe 1968 Pomfkndo.exe 2680 Pmagdbci.exe 1096 Pmccjbaf.exe 1708 Qflhbhgg.exe 1480 Qngmgjeb.exe 1028 Qeaedd32.exe 748 Qjnmlk32.exe 284 Aganeoip.exe 2320 Amnfnfgg.exe 2076 Agdjkogm.exe 900 Annbhi32.exe 2092 Apoooa32.exe 1592 Ajecmj32.exe 2000 Aaolidlk.exe 1748 Abphal32.exe 2748 Alhmjbhj.exe 2500 Afnagk32.exe 1676 Bmhideol.exe 2952 Bbdallnd.exe 432 Eflill32.exe 1504 Ejjbbkpj.exe 2008 Ekknjcfh.exe 2244 Ehoocgeb.exe -
Loads dropped DLL 64 IoCs
pid Process 2100 560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe 2100 560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe 2672 Kofopj32.exe 2672 Kofopj32.exe 2728 Kgcpjmcb.exe 2728 Kgcpjmcb.exe 2880 Kaldcb32.exe 2880 Kaldcb32.exe 2512 Kgemplap.exe 2512 Kgemplap.exe 2508 Lanaiahq.exe 2508 Lanaiahq.exe 2124 Lnbbbffj.exe 2124 Lnbbbffj.exe 736 Lcojjmea.exe 736 Lcojjmea.exe 1128 Lpekon32.exe 1128 Lpekon32.exe 2836 Lgmcqkkh.exe 2836 Lgmcqkkh.exe 2960 Laegiq32.exe 2960 Laegiq32.exe 1692 Lbfdaigg.exe 1692 Lbfdaigg.exe 1640 Lmlhnagm.exe 1640 Lmlhnagm.exe 2452 Lcfqkl32.exe 2452 Lcfqkl32.exe 856 Mpmapm32.exe 856 Mpmapm32.exe 860 Mieeibkn.exe 860 Mieeibkn.exe 3016 Moanaiie.exe 3016 Moanaiie.exe 1892 Modkfi32.exe 1892 Modkfi32.exe 2288 Mdacop32.exe 2288 Mdacop32.exe 948 Mofglh32.exe 948 Mofglh32.exe 1688 Meppiblm.exe 1688 Meppiblm.exe 360 Mkmhaj32.exe 360 Mkmhaj32.exe 1104 Ndemjoae.exe 1104 Ndemjoae.exe 300 Nibebfpl.exe 300 Nibebfpl.exe 2908 Ndhipoob.exe 2908 Ndhipoob.exe 2696 Nkbalifo.exe 2696 Nkbalifo.exe 1464 Ngibaj32.exe 1464 Ngibaj32.exe 1972 Npagjpcd.exe 1972 Npagjpcd.exe 1184 Nhllob32.exe 1184 Nhllob32.exe 2992 Nilhhdga.exe 2992 Nilhhdga.exe 2732 Oohqqlei.exe 2732 Oohqqlei.exe 2636 Odeiibdq.exe 2636 Odeiibdq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fnipkkdl.exe Ffmkfifa.exe File opened for modification C:\Windows\SysWOW64\Oabkom32.exe Oekjjl32.exe File created C:\Windows\SysWOW64\Gqnbhf32.exe Gmpjagfa.exe File opened for modification C:\Windows\SysWOW64\Dlfgcl32.exe Demofaol.exe File opened for modification C:\Windows\SysWOW64\Kjmnjkjd.exe Khkbbc32.exe File opened for modification C:\Windows\SysWOW64\Qngmgjeb.exe Qflhbhgg.exe File created C:\Windows\SysWOW64\Kofcba32.dll Mbhjlbbh.exe File created C:\Windows\SysWOW64\Ocalkn32.exe Okfgfl32.exe File opened for modification C:\Windows\SysWOW64\Aganeoip.exe Qjnmlk32.exe File opened for modification C:\Windows\SysWOW64\Illbhp32.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Ljcbaamh.exe Kcijeg32.exe File opened for modification C:\Windows\SysWOW64\Gqnbhf32.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Difnaqih.exe Cpmjhk32.exe File created C:\Windows\SysWOW64\Enmkijgm.dll Jialfgcc.exe File created C:\Windows\SysWOW64\Jbdipkfe.dll Agdjkogm.exe File created C:\Windows\SysWOW64\Anllfndp.dll Jlklnjoh.exe File opened for modification C:\Windows\SysWOW64\Jdkjnl32.exe Jlpeij32.exe File created C:\Windows\SysWOW64\Hnifgpff.dll Kqfdnljm.exe File created C:\Windows\SysWOW64\Gfcnegnk.exe Fqfemqod.exe File created C:\Windows\SysWOW64\Pplaki32.exe Pojecajj.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Abpcooea.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Mkmhaj32.exe File created C:\Windows\SysWOW64\Lmpanl32.dll Afnagk32.exe File created C:\Windows\SysWOW64\Gpnmjd32.exe Gmoqnhla.exe File opened for modification C:\Windows\SysWOW64\Lqmjnk32.exe Ljcbaamh.exe File created C:\Windows\SysWOW64\Illbhp32.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Jehlkhig.exe Jialfgcc.exe File opened for modification C:\Windows\SysWOW64\Mnomjl32.exe Mqklqhpg.exe File created C:\Windows\SysWOW64\Fekagf32.dll Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Ihmgiiff.exe Hflkaq32.exe File opened for modification C:\Windows\SysWOW64\Bjoofhgc.exe Bgqcjlhp.exe File created C:\Windows\SysWOW64\Komnbg32.dll Ldoimh32.exe File created C:\Windows\SysWOW64\Mpjdmlgk.dll Kcgmoggn.exe File created C:\Windows\SysWOW64\Mhgoji32.exe Mclcijfd.exe File opened for modification C:\Windows\SysWOW64\Mdiefffn.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Kheoph32.dll Mcckcbgp.exe File created C:\Windows\SysWOW64\Qglmpi32.exe Pcnejk32.exe File created C:\Windows\SysWOW64\Hnaldfli.dll Ekfndmfb.exe File created C:\Windows\SysWOW64\Foafdoag.exe Fbmfkkbm.exe File created C:\Windows\SysWOW64\Ncfoch32.exe Mjnjjbbh.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Calcpm32.exe File created C:\Windows\SysWOW64\Ihmgiiff.exe Hflkaq32.exe File created C:\Windows\SysWOW64\Ialelpfl.dll Incbgnmc.exe File opened for modification C:\Windows\SysWOW64\Mhilph32.exe Mhgoji32.exe File opened for modification C:\Windows\SysWOW64\Bmphhc32.exe Bffpki32.exe File opened for modification C:\Windows\SysWOW64\Pepcelel.exe Pkjphcff.exe File created C:\Windows\SysWOW64\Hjqqap32.exe Hpkldg32.exe File opened for modification C:\Windows\SysWOW64\Najpll32.exe Ncfoch32.exe File created C:\Windows\SysWOW64\Cmmagpef.exe Cbgmigeq.exe File created C:\Windows\SysWOW64\Hedbmpnc.dll Fqfemqod.exe File created C:\Windows\SysWOW64\Gpkpedmh.exe Gjngmmnp.exe File opened for modification C:\Windows\SysWOW64\Pdgkco32.exe Pgckjk32.exe File created C:\Windows\SysWOW64\Ihglhp32.exe Imahkg32.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Pleofj32.exe File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Nfebijjj.dll Lnhdqdnd.exe File opened for modification C:\Windows\SysWOW64\Bkbaii32.exe Bbjmpcab.exe File created C:\Windows\SysWOW64\Dlfgcl32.exe Demofaol.exe File created C:\Windows\SysWOW64\Nmqpam32.exe Nfghdcfj.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Jehlkhig.exe File created C:\Windows\SysWOW64\Giackg32.dll Jehlkhig.exe File created C:\Windows\SysWOW64\Oefdbdjo.dll Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Mpmapm32.exe File created C:\Windows\SysWOW64\Bfenfipk.dll Nhllob32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4588 4836 WerFault.exe 424 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbmfkkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahll32.dll" Gqnbhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemnfnhd.dll" Jgncfcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Mnmpdlac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpopnejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhdjk32.dll" Omcifpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maapdeaa.dll" Ioilkblq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hphidanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oohqqlei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll" Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoohekal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhjijha.dll" Jplkmgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfqkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijcglcj.dll" Chqoipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdejhfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Becpap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdamcl32.dll" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfolaang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imoilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjjaebl.dll" Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofinocal.dll" Iggned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qngmgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcfjmkg.dll" Bfagpiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffpki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpcqnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcbaamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilfnc32.dll" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jialfgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eflill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjeefofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmdim32.dll" Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll" Oplelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclchm32.dll" Gbqbaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbakd32.dll" Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmapnj.dll" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll" Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agjmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" Ajecmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnejbmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fciang32.dll" Jolepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgoji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkbeabf.dll" Ecfldoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgbeiiqe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2672 2100 560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2672 2100 560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2672 2100 560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2672 2100 560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe 28 PID 2672 wrote to memory of 2728 2672 Kofopj32.exe 29 PID 2672 wrote to memory of 2728 2672 Kofopj32.exe 29 PID 2672 wrote to memory of 2728 2672 Kofopj32.exe 29 PID 2672 wrote to memory of 2728 2672 Kofopj32.exe 29 PID 2728 wrote to memory of 2880 2728 Kgcpjmcb.exe 30 PID 2728 wrote to memory of 2880 2728 Kgcpjmcb.exe 30 PID 2728 wrote to memory of 2880 2728 Kgcpjmcb.exe 30 PID 2728 wrote to memory of 2880 2728 Kgcpjmcb.exe 30 PID 2880 wrote to memory of 2512 2880 Kaldcb32.exe 31 PID 2880 wrote to memory of 2512 2880 Kaldcb32.exe 31 PID 2880 wrote to memory of 2512 2880 Kaldcb32.exe 31 PID 2880 wrote to memory of 2512 2880 Kaldcb32.exe 31 PID 2512 wrote to memory of 2508 2512 Kgemplap.exe 32 PID 2512 wrote to memory of 2508 2512 Kgemplap.exe 32 PID 2512 wrote to memory of 2508 2512 Kgemplap.exe 32 PID 2512 wrote to memory of 2508 2512 Kgemplap.exe 32 PID 2508 wrote to memory of 2124 2508 Lanaiahq.exe 33 PID 2508 wrote to memory of 2124 2508 Lanaiahq.exe 33 PID 2508 wrote to memory of 2124 2508 Lanaiahq.exe 33 PID 2508 wrote to memory of 2124 2508 Lanaiahq.exe 33 PID 2124 wrote to memory of 736 2124 Lnbbbffj.exe 34 PID 2124 wrote to memory of 736 2124 Lnbbbffj.exe 34 PID 2124 wrote to memory of 736 2124 Lnbbbffj.exe 34 PID 2124 wrote to memory of 736 2124 Lnbbbffj.exe 34 PID 736 wrote to memory of 1128 736 Lcojjmea.exe 35 PID 736 wrote to memory of 1128 736 Lcojjmea.exe 35 PID 736 wrote to memory of 1128 736 Lcojjmea.exe 35 PID 736 wrote to memory of 1128 736 Lcojjmea.exe 35 PID 1128 wrote to memory of 2836 1128 Lpekon32.exe 36 PID 1128 wrote to memory of 2836 1128 Lpekon32.exe 36 PID 1128 wrote to memory of 2836 1128 Lpekon32.exe 36 PID 1128 wrote to memory of 2836 1128 Lpekon32.exe 36 PID 2836 wrote to memory of 2960 2836 Lgmcqkkh.exe 37 PID 2836 wrote to memory of 2960 2836 Lgmcqkkh.exe 37 PID 2836 wrote to memory of 2960 2836 Lgmcqkkh.exe 37 PID 2836 wrote to memory of 2960 2836 Lgmcqkkh.exe 37 PID 2960 wrote to memory of 1692 2960 Laegiq32.exe 38 PID 2960 wrote to memory of 1692 2960 Laegiq32.exe 38 PID 2960 wrote to memory of 1692 2960 Laegiq32.exe 38 PID 2960 wrote to memory of 1692 2960 Laegiq32.exe 38 PID 1692 wrote to memory of 1640 1692 Lbfdaigg.exe 39 PID 1692 wrote to memory of 1640 1692 Lbfdaigg.exe 39 PID 1692 wrote to memory of 1640 1692 Lbfdaigg.exe 39 PID 1692 wrote to memory of 1640 1692 Lbfdaigg.exe 39 PID 1640 wrote to memory of 2452 1640 Lmlhnagm.exe 40 PID 1640 wrote to memory of 2452 1640 Lmlhnagm.exe 40 PID 1640 wrote to memory of 2452 1640 Lmlhnagm.exe 40 PID 1640 wrote to memory of 2452 1640 Lmlhnagm.exe 40 PID 2452 wrote to memory of 856 2452 Lcfqkl32.exe 41 PID 2452 wrote to memory of 856 2452 Lcfqkl32.exe 41 PID 2452 wrote to memory of 856 2452 Lcfqkl32.exe 41 PID 2452 wrote to memory of 856 2452 Lcfqkl32.exe 41 PID 856 wrote to memory of 860 856 Mpmapm32.exe 42 PID 856 wrote to memory of 860 856 Mpmapm32.exe 42 PID 856 wrote to memory of 860 856 Mpmapm32.exe 42 PID 856 wrote to memory of 860 856 Mpmapm32.exe 42 PID 860 wrote to memory of 3016 860 Mieeibkn.exe 43 PID 860 wrote to memory of 3016 860 Mieeibkn.exe 43 PID 860 wrote to memory of 3016 860 Mieeibkn.exe 43 PID 860 wrote to memory of 3016 860 Mieeibkn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\560a4647b714a234d9126f3d99491dde356272dc50aca20e5da8986a589b99e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:360 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe33⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe34⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe35⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe38⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe39⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe40⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe43⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe44⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe45⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe48⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe50⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe53⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe56⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe57⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe60⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe61⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe64⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe65⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe66⤵PID:1372
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe67⤵PID:2936
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe70⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe71⤵PID:2276
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe72⤵PID:2236
-
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe73⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe74⤵PID:2776
-
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe75⤵PID:3040
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe76⤵PID:1156
-
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe77⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe78⤵PID:668
-
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe79⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:108 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe81⤵PID:2744
-
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe85⤵
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe86⤵PID:1928
-
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe87⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe88⤵PID:1260
-
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe92⤵PID:2864
-
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe93⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe94⤵PID:2632
-
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe95⤵PID:2884
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe97⤵PID:2160
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe98⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe99⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe100⤵PID:2564
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe101⤵PID:1140
-
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe102⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe103⤵PID:1196
-
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe104⤵PID:2172
-
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe105⤵
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe106⤵
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe107⤵PID:2360
-
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe108⤵PID:1616
-
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe110⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe111⤵PID:428
-
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe112⤵PID:896
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe113⤵PID:2496
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe114⤵PID:1652
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe115⤵PID:1984
-
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe116⤵PID:2616
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe117⤵PID:1520
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe119⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe120⤵PID:2688
-
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe121⤵PID:2036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-