Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 14:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe
-
Size
50KB
-
MD5
00663f39d1f70fc03dd1d3f6533f0b20
-
SHA1
36bef1f7aa3118e450756a61fdf0b9fb9af1e90f
-
SHA256
882f5430d9e9f6b0e55a8224e732e85acc667e7ee8b1f4d5465110908af79c2a
-
SHA512
d95b1f31fe8c425712e9f482abc62b0f16f18a3e4b1cd405e68c48e5d755aff20c3150bd85afa3d008bca19c9846bdd50bd44c8cd6edb464abeaf5c25e003ae7
-
SSDEEP
768:tbhf6TWoaFQbEDycz4kbtqMFVQUODgT/vT8p3kBGv0Hza2/1H5HT42+j:vfIVodqatqY+U66w3kB5dC28
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmihhelk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccmffjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgdkjol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbhgojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcihlong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichllgfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmafj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meppiblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefijfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihqkagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmemc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfknbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbbbffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalqkbk.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Hicodd32.exe 2628 Hejoiedd.exe 2792 Hlcgeo32.exe 2636 Hgilchkf.exe 2768 Hhjhkq32.exe 2568 Hcplhi32.exe 2484 Henidd32.exe 2744 Hhmepp32.exe 2400 Icbimi32.exe 1644 Ihoafpmp.exe 1324 Ioijbj32.exe 2576 Ifcbodli.exe 320 Ihankokm.exe 2432 Inngcfid.exe 1612 Iqmcpahh.exe 2084 Ikbgmj32.exe 3052 Inqcif32.exe 1328 Iqopea32.exe 648 Icmlam32.exe 1148 Incpoe32.exe 2368 Imfqjbli.exe 1788 Icpigm32.exe 1820 Ifnechbj.exe 1824 Jnemdecl.exe 1016 Jqdipqbp.exe 1756 Jcbellac.exe 1736 Jiondcpk.exe 2448 Jqfffqpm.exe 2612 Jbgbni32.exe 2800 Jokcgmee.exe 2624 Jbjochdi.exe 2544 Jkbcln32.exe 2688 Jnqphi32.exe 2220 Jgidao32.exe 2036 Joplbl32.exe 2836 Jbnhng32.exe 552 Kihqkagp.exe 1732 Kkgmgmfd.exe 2248 Kaceodek.exe 868 Kkijmm32.exe 572 Kjljhjkl.exe 1056 Keanebkb.exe 2616 Kgpjanje.exe 1584 Kpkofpgq.exe 1312 Kcfkfo32.exe 1692 Kfegbj32.exe 1096 Kcihlong.exe 2040 Kmaled32.exe 1544 Lpphap32.exe 1804 Lckdanld.exe 2416 Lmcijcbe.exe 2944 Llfifq32.exe 1600 Loeebl32.exe 3056 Lflmci32.exe 2816 Lhmjkaoc.exe 2824 Lliflp32.exe 2516 Lbcnhjnj.exe 3012 Lafndg32.exe 2736 Lhpfqama.exe 2204 Lkncmmle.exe 1036 Lojomkdn.exe 1728 Lahkigca.exe 328 Ldfgebbe.exe 1168 Lhbcfa32.exe -
Loads dropped DLL 64 IoCs
pid Process 3016 00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe 3016 00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe 2236 Hicodd32.exe 2236 Hicodd32.exe 2628 Hejoiedd.exe 2628 Hejoiedd.exe 2792 Hlcgeo32.exe 2792 Hlcgeo32.exe 2636 Hgilchkf.exe 2636 Hgilchkf.exe 2768 Hhjhkq32.exe 2768 Hhjhkq32.exe 2568 Hcplhi32.exe 2568 Hcplhi32.exe 2484 Henidd32.exe 2484 Henidd32.exe 2744 Hhmepp32.exe 2744 Hhmepp32.exe 2400 Icbimi32.exe 2400 Icbimi32.exe 1644 Ihoafpmp.exe 1644 Ihoafpmp.exe 1324 Ioijbj32.exe 1324 Ioijbj32.exe 2576 Ifcbodli.exe 2576 Ifcbodli.exe 320 Ihankokm.exe 320 Ihankokm.exe 2432 Inngcfid.exe 2432 Inngcfid.exe 1612 Iqmcpahh.exe 1612 Iqmcpahh.exe 2084 Ikbgmj32.exe 2084 Ikbgmj32.exe 3052 Inqcif32.exe 3052 Inqcif32.exe 1328 Iqopea32.exe 1328 Iqopea32.exe 648 Icmlam32.exe 648 Icmlam32.exe 1148 Incpoe32.exe 1148 Incpoe32.exe 2368 Imfqjbli.exe 2368 Imfqjbli.exe 1788 Icpigm32.exe 1788 Icpigm32.exe 1820 Ifnechbj.exe 1820 Ifnechbj.exe 1824 Jnemdecl.exe 1824 Jnemdecl.exe 1016 Jqdipqbp.exe 1016 Jqdipqbp.exe 1756 Jcbellac.exe 1756 Jcbellac.exe 1736 Jiondcpk.exe 1736 Jiondcpk.exe 2448 Jqfffqpm.exe 2448 Jqfffqpm.exe 2612 Jbgbni32.exe 2612 Jbgbni32.exe 2800 Jokcgmee.exe 2800 Jokcgmee.exe 2624 Jbjochdi.exe 2624 Jbjochdi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe Henidd32.exe File created C:\Windows\SysWOW64\Jjhhpp32.dll Ceaadk32.exe File opened for modification C:\Windows\SysWOW64\Fmbhok32.exe Fekpnn32.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kkgmgmfd.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mamddf32.exe File created C:\Windows\SysWOW64\Cgllco32.dll Efaibbij.exe File created C:\Windows\SysWOW64\Iamimc32.exe Icjhagdp.exe File created C:\Windows\SysWOW64\Almjnp32.dll Mooaljkh.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Ihgainbg.exe File created C:\Windows\SysWOW64\Kigbna32.dll Jnffgd32.exe File created C:\Windows\SysWOW64\Cljiflem.dll Jfknbe32.exe File opened for modification C:\Windows\SysWOW64\Mgimmm32.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Mkhofjoj.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Npojdpef.exe File created C:\Windows\SysWOW64\Djmicm32.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File opened for modification C:\Windows\SysWOW64\Jdpndnei.exe Jfnnha32.exe File opened for modification C:\Windows\SysWOW64\Jgidao32.exe Jnqphi32.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Ocnfbo32.exe File opened for modification C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File created C:\Windows\SysWOW64\Ldhnfd32.dll Qfokbnip.exe File created C:\Windows\SysWOW64\Gellaqbd.dll Cnkicn32.exe File created C:\Windows\SysWOW64\Mdcpdp32.exe Meppiblm.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pnjdhmdo.exe File created C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File created C:\Windows\SysWOW64\Lhpbmi32.dll Hiknhbcg.exe File created C:\Windows\SysWOW64\Kmcipd32.dll Kfmjgeaj.exe File created C:\Windows\SysWOW64\Llcefjgf.exe Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe Hicodd32.exe File created C:\Windows\SysWOW64\Fmmkcoap.exe Fjongcbl.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Mkmhaj32.exe File created C:\Windows\SysWOW64\Kfegbj32.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Ckchjmoo.dll Llfifq32.exe File created C:\Windows\SysWOW64\Noqamn32.exe Nkeelohh.exe File created C:\Windows\SysWOW64\Klmkof32.dll Eibbcm32.exe File created C:\Windows\SysWOW64\Bibkki32.dll Lafndg32.exe File created C:\Windows\SysWOW64\Nkeelohh.exe Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe Olmhdf32.exe File created C:\Windows\SysWOW64\Haloha32.dll Bifgdk32.exe File opened for modification C:\Windows\SysWOW64\Mbkmlh32.exe Mooaljkh.exe File created C:\Windows\SysWOW64\Chboohof.dll Bbhela32.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Mdmmfa32.exe Maoajf32.exe File created C:\Windows\SysWOW64\Kijmee32.dll Nkgbbo32.exe File created C:\Windows\SysWOW64\Ndbcpd32.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Eicieohp.dll Jocflgga.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Papfegmk.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Pefgcifd.dll Gedbdlbb.exe File opened for modification C:\Windows\SysWOW64\Hdqbekcm.exe Habfipdj.exe File opened for modification C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File created C:\Windows\SysWOW64\Dogefd32.exe Dliijipn.exe File created C:\Windows\SysWOW64\Eplkpgnh.exe Eqijej32.exe File created C:\Windows\SysWOW64\Hhgdkjol.exe Heihnoph.exe File created C:\Windows\SysWOW64\Jdpndnei.exe Jfnnha32.exe File opened for modification C:\Windows\SysWOW64\Mdcpdp32.exe Meppiblm.exe File created C:\Windows\SysWOW64\Meijhc32.exe Mbkmlh32.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Icbimi32.exe File created C:\Windows\SysWOW64\Dmlphhec.dll Mpfkqb32.exe File opened for modification C:\Windows\SysWOW64\Pgbhabjp.exe Pedleg32.exe File created C:\Windows\SysWOW64\Dlkaflan.dll Dglpbbbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4424 4320 WerFault.exe 465 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjpeifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaceodek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigbna32.dll" Jnffgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjapjmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndohedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mencccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biicik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Olmhdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmhdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfdaigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Namqci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegqdqbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndbcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddigjkid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lbfdaigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjolo32.dll" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndkpj32.dll" Fhneehek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcmafj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoamnbaf.dll" Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdfmo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2236 3016 00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 2236 3016 00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 2236 3016 00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 2236 3016 00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2628 2236 Hicodd32.exe 29 PID 2236 wrote to memory of 2628 2236 Hicodd32.exe 29 PID 2236 wrote to memory of 2628 2236 Hicodd32.exe 29 PID 2236 wrote to memory of 2628 2236 Hicodd32.exe 29 PID 2628 wrote to memory of 2792 2628 Hejoiedd.exe 30 PID 2628 wrote to memory of 2792 2628 Hejoiedd.exe 30 PID 2628 wrote to memory of 2792 2628 Hejoiedd.exe 30 PID 2628 wrote to memory of 2792 2628 Hejoiedd.exe 30 PID 2792 wrote to memory of 2636 2792 Hlcgeo32.exe 31 PID 2792 wrote to memory of 2636 2792 Hlcgeo32.exe 31 PID 2792 wrote to memory of 2636 2792 Hlcgeo32.exe 31 PID 2792 wrote to memory of 2636 2792 Hlcgeo32.exe 31 PID 2636 wrote to memory of 2768 2636 Hgilchkf.exe 32 PID 2636 wrote to memory of 2768 2636 Hgilchkf.exe 32 PID 2636 wrote to memory of 2768 2636 Hgilchkf.exe 32 PID 2636 wrote to memory of 2768 2636 Hgilchkf.exe 32 PID 2768 wrote to memory of 2568 2768 Hhjhkq32.exe 33 PID 2768 wrote to memory of 2568 2768 Hhjhkq32.exe 33 PID 2768 wrote to memory of 2568 2768 Hhjhkq32.exe 33 PID 2768 wrote to memory of 2568 2768 Hhjhkq32.exe 33 PID 2568 wrote to memory of 2484 2568 Hcplhi32.exe 34 PID 2568 wrote to memory of 2484 2568 Hcplhi32.exe 34 PID 2568 wrote to memory of 2484 2568 Hcplhi32.exe 34 PID 2568 wrote to memory of 2484 2568 Hcplhi32.exe 34 PID 2484 wrote to memory of 2744 2484 Henidd32.exe 35 PID 2484 wrote to memory of 2744 2484 Henidd32.exe 35 PID 2484 wrote to memory of 2744 2484 Henidd32.exe 35 PID 2484 wrote to memory of 2744 2484 Henidd32.exe 35 PID 2744 wrote to memory of 2400 2744 Hhmepp32.exe 36 PID 2744 wrote to memory of 2400 2744 Hhmepp32.exe 36 PID 2744 wrote to memory of 2400 2744 Hhmepp32.exe 36 PID 2744 wrote to memory of 2400 2744 Hhmepp32.exe 36 PID 2400 wrote to memory of 1644 2400 Icbimi32.exe 37 PID 2400 wrote to memory of 1644 2400 Icbimi32.exe 37 PID 2400 wrote to memory of 1644 2400 Icbimi32.exe 37 PID 2400 wrote to memory of 1644 2400 Icbimi32.exe 37 PID 1644 wrote to memory of 1324 1644 Ihoafpmp.exe 38 PID 1644 wrote to memory of 1324 1644 Ihoafpmp.exe 38 PID 1644 wrote to memory of 1324 1644 Ihoafpmp.exe 38 PID 1644 wrote to memory of 1324 1644 Ihoafpmp.exe 38 PID 1324 wrote to memory of 2576 1324 Ioijbj32.exe 39 PID 1324 wrote to memory of 2576 1324 Ioijbj32.exe 39 PID 1324 wrote to memory of 2576 1324 Ioijbj32.exe 39 PID 1324 wrote to memory of 2576 1324 Ioijbj32.exe 39 PID 2576 wrote to memory of 320 2576 Ifcbodli.exe 40 PID 2576 wrote to memory of 320 2576 Ifcbodli.exe 40 PID 2576 wrote to memory of 320 2576 Ifcbodli.exe 40 PID 2576 wrote to memory of 320 2576 Ifcbodli.exe 40 PID 320 wrote to memory of 2432 320 Ihankokm.exe 41 PID 320 wrote to memory of 2432 320 Ihankokm.exe 41 PID 320 wrote to memory of 2432 320 Ihankokm.exe 41 PID 320 wrote to memory of 2432 320 Ihankokm.exe 41 PID 2432 wrote to memory of 1612 2432 Inngcfid.exe 42 PID 2432 wrote to memory of 1612 2432 Inngcfid.exe 42 PID 2432 wrote to memory of 1612 2432 Inngcfid.exe 42 PID 2432 wrote to memory of 1612 2432 Inngcfid.exe 42 PID 1612 wrote to memory of 2084 1612 Iqmcpahh.exe 43 PID 1612 wrote to memory of 2084 1612 Iqmcpahh.exe 43 PID 1612 wrote to memory of 2084 1612 Iqmcpahh.exe 43 PID 1612 wrote to memory of 2084 1612 Iqmcpahh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\00663f39d1f70fc03dd1d3f6533f0b20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe33⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe35⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe36⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe41⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe42⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe43⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe45⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe47⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe49⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe50⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe51⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe52⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe54⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe55⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe56⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe57⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe58⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe60⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe61⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe62⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe63⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe65⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe66⤵PID:1684
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe67⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe68⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe69⤵PID:2344
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe70⤵PID:2000
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe72⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe73⤵PID:2936
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe74⤵PID:908
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe75⤵PID:2700
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe76⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe77⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe78⤵PID:2548
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe79⤵PID:2764
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe81⤵PID:1772
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe82⤵PID:352
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe83⤵PID:2240
-
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe85⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe86⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe87⤵PID:296
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe88⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe89⤵PID:3020
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe90⤵PID:2076
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe91⤵PID:2528
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe93⤵PID:2872
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe95⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe96⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe97⤵
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe98⤵PID:2320
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe99⤵PID:2080
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe100⤵PID:108
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe101⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe103⤵PID:1816
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe104⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe105⤵PID:1136
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe106⤵PID:2532
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe107⤵PID:2676
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe108⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe109⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe110⤵PID:1808
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe111⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe113⤵PID:1540
-
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe114⤵PID:2016
-
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe115⤵PID:1276
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe116⤵PID:1664
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe117⤵PID:1568
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe118⤵PID:2244
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe119⤵PID:2832
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe121⤵PID:2172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-